Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Mark Sapiro 
On 01/19/2017 11:35 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 21:22, Mark Sapiro  wrote:
>>
>> Look at some of the hits from searching at
>>  for
>> global_ban_list.
>>
> 
> 
> Seen that. Usable, but not everything, given that some addresses on my list
> are well-known free mail providers.


You don't want to block entire domains. You want to use regexps that are
tailored to the attacks you are seeing. This means you can't be
proactive in blocking attacks in advance, but if you run some kind of
Mailman log summary such as the mmdsr program distributed with Mailman
in the contrib/ directory, you'll see attacks within a day of when they
start and can react. Some patterns I have used that have been effective
against past attacks are:

  '^[a-z0-9.]{8,}\+[a-z0-9]{4,}@gmail\.com$',
  '^.*k\.*e\.*m\.*o\.*m\.*a\.*r\.*t.*@gmail\.com',
  '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com',
  '^.*k\.*e\.*z\.*u\.*k\.*a\.*y\.*a.*@gmail\.com',

Also, there is a script at 
(mirrored at ) that is
described as:

Remove an address or all addresses matching a regexp from the
installation. I.e. for every list, if the address is a member, it is
removed. If there are any held posts or (un)subscription requests from
the address, they are removed too. Optionally, any subscription requests
from the address waiting user confirmation are also removed.

that can be used to remove the successful ones.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington 
On 19 January 2017 at 21:22, Mark Sapiro  wrote:

> On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> > On 19 January 2017 at 18:55, Brian Carpenter  wrote:
> >
>
> Odhiambo Washington wrote:
> >>>
> >>> Now this got me thinking: Once one has submitted a subscription request
> >> and
> >>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline
> any
> >>> further subscription requests from the same address if they decide to
> >>> submit such, and as such shouldn't send any other confirm/verification
> >>> requests as long as there is one still pending??
>
>
> Perhaps there should be a limit, but not an outright refusal because the
> original confirmation email could have been lost.
>
> In any case, I'm not interested in implementing this.
>
>
>
> >> Subscription spam which is what I think you are experiencing has been
> dealt
> >> with to a certain degree by recent versions of mailman. The following
> two
> >> functions I believe would be of assistance are:
> >>
> >> SUBSCRIBE_FORM_SECRET
> >> GLOBAL_BAN_LIST
> >>
> ...
> > So is it enough to add
> >
> > SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> >
> > to mm_cfg.py and restarting Mailman without doing any other thing??
>
>
> That is sufficient to enable that feature and it will help block robotic
> web subscribes, but there are bots now that are smart enough to mimic
> human behavior in first getting the listinfo page and then waiting
> before posting the subscribe form.
>
>
Thanks for the clarification. Now I'll just wait and see if the smart bots
are involved.



>
> > The GLOBAL_BAN_LIST is self-explanatory when I read it.
>
>
> There are various, widespread attacks of this nature, but none that I've
> seen with the addresses you're seeing. There are several threads on this
> in the archives of this list.
>
> Look at some of the hits from searching at
>  for
> global_ban_list.
>


Seen that. Usable, but not everything, given that some addresses on my list
are well-known free mail providers.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Mark Sapiro 
On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 18:55, Brian Carpenter  wrote:
>

Odhiambo Washington wrote:
>>>
>>> Now this got me thinking: Once one has submitted a subscription request
>> and
>>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
>>> further subscription requests from the same address if they decide to
>>> submit such, and as such shouldn't send any other confirm/verification
>>> requests as long as there is one still pending??


Perhaps there should be a limit, but not an outright refusal because the
original confirmation email could have been lost.

In any case, I'm not interested in implementing this.



>> Subscription spam which is what I think you are experiencing has been dealt
>> with to a certain degree by recent versions of mailman. The following two
>> functions I believe would be of assistance are:
>>
>> SUBSCRIBE_FORM_SECRET
>> GLOBAL_BAN_LIST
>>
...
> So is it enough to add
> 
> SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> 
> to mm_cfg.py and restarting Mailman without doing any other thing??


That is sufficient to enable that feature and it will help block robotic
web subscribes, but there are bots now that are smart enough to mimic
human behavior in first getting the listinfo page and then waiting
before posting the subscribe form.


> The GLOBAL_BAN_LIST is self-explanatory when I read it.


There are various, widespread attacks of this nature, but none that I've
seen with the addresses you're seeing. There are several threads on this
in the archives of this list.

Look at some of the hits from searching at
 for
global_ban_list.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington 
On 19 January 2017 at 18:55, Brian Carpenter  wrote:

> > I have a situation which is a little confusing on a server where I run
> > Mailman. The subscription model is "confirm & approve"
> >
> > When I check the MTA's queue, I find hundreds of mail destined to certain
> > addresses, and one address could have 10 or more same mail destined to
> it.
> > I cleared the queue before checking the contents of these e-mails, but I
> > assume they were those 'confirm your subscription' ones to these
> addresses,
> > because I can see the addresses in in Mailman's subscribe logfile.
> >
> > Now this got me thinking: Once one has submitted a subscription request
> and
> > Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
> > further subscription requests from the same address if they decide to
> > submit such, and as such shouldn't send any other confirm/verification
> > requests as long as there is one still pending??
> >
> > I am talking about a situation leading to a subscribe logfile like the
> one
> > at: http://bit.ly/2iFv5vi
> >
> > Might I be missing something in my list configuration???
>
> Subscription spam which is what I think you are experiencing has been dealt
> with to a certain degree by recent versions of mailman. The following two
> functions I believe would be of assistance are:
>
> SUBSCRIBE_FORM_SECRET
> GLOBAL_BAN_LIST
>
>

> There is some detail information about them in Defaults.py I believe.
>
> Brian Carpenter
> EMWD, Owner
>
> Providing Cloud Services and Mailman hosting for over 18 years.
>
>

Awesome.

So is it enough to add

SUBSCRIBE_FORM_SECRET = 'L1feSuX'

to mm_cfg.py and restarting Mailman without doing any other thing??


The GLOBAL_BAN_LIST is self-explanatory when I read it.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Brian Carpenter 
> I have a situation which is a little confusing on a server where I run
> Mailman. The subscription model is "confirm & approve"
> 
> When I check the MTA's queue, I find hundreds of mail destined to certain
> addresses, and one address could have 10 or more same mail destined to it.
> I cleared the queue before checking the contents of these e-mails, but I
> assume they were those 'confirm your subscription' ones to these
addresses,
> because I can see the addresses in in Mailman's subscribe logfile.
> 
> Now this got me thinking: Once one has submitted a subscription request
and
> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
> further subscription requests from the same address if they decide to
> submit such, and as such shouldn't send any other confirm/verification
> requests as long as there is one still pending??
> 
> I am talking about a situation leading to a subscribe logfile like the one
> at: http://bit.ly/2iFv5vi
> 
> Might I be missing something in my list configuration???

Subscription spam which is what I think you are experiencing has been dealt
with to a certain degree by recent versions of mailman. The following two
functions I believe would be of assistance are:

SUBSCRIBE_FORM_SECRET
GLOBAL_BAN_LIST

There is some detail information about them in Defaults.py I believe. 

Brian Carpenter
EMWD, Owner

Providing Cloud Services and Mailman hosting for over 18 years.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington 
Okay, maybe the subject is inflammatory/misleading :-)

I have a situation which is a little confusing on a server where I run
Mailman. The subscription model is "confirm & approve"

When I check the MTA's queue, I find hundreds of mail destined to certain
addresses, and one address could have 10 or more same mail destined to it.
I cleared the queue before checking the contents of these e-mails, but I
assume they were those 'confirm your subscription' ones to these addresses,
because I can see the addresses in in Mailman's subscribe logfile.

Now this got me thinking: Once one has submitted a subscription request and
Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
further subscription requests from the same address if they decide to
submit such, and as such shouldn't send any other confirm/verification
requests as long as there is one still pending??

I am talking about a situation leading to a subscribe logfile like the one
at: http://bit.ly/2iFv5vi

Might I be missing something in my list configuration???


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman security question

2013-05-06 Thread Lindsay Haisley 
Is there any support in any version of Mailman for total end to end
message security?  This would involve being able to send, say, a GPG (or
PGP) encrypted post to a list, using the list's public key, having the
list decrypt it, and then repost it to all subscribers, encrypted for
each using their respective public keys.

Granted that such a facility would be a system resources suck of an
order of magnitude greater than a simple, unencrypted list, however I
can see that it might well be useful in some cases.

It would also, in the current political climate, doubtless be deemed to
be something close to a national security threat, and even discussing
the idea might attract DHS attention.  I do recall that some years ago
that Phil Zimmerman, who invented PGP, was the subject of a criminal
investigation since the PGP algorithm was deemed by the US government to
be weapon subject to export controls.

-- 
Lindsay Haisley   | Behold! Our way lies through a
FMP Computer Services |dark wood whence in which
512-259-1190  |  weirdness may wallow!”
http://www.fmp.com|   --Beauregard

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman security question

2013-05-06 Thread Dennis Putnam 
On 5/6/2013 4:54 PM, Lindsay Haisley wrote:
 Is there any support in any version of Mailman for total end to end
 message security?  This would involve being able to send, say, a GPG (or
 PGP) encrypted post to a list, using the list's public key, having the
 list decrypt it, and then repost it to all subscribers, encrypted for
 each using their respective public keys.

 Granted that such a facility would be a system resources suck of an
 order of magnitude greater than a simple, unencrypted list, however I
 can see that it might well be useful in some cases.

 It would also, in the current political climate, doubtless be deemed to
 be something close to a national security threat, and even discussing
 the idea might attract DHS attention.  I do recall that some years ago
 that Phil Zimmerman, who invented PGP, was the subject of a criminal
 investigation since the PGP algorithm was deemed by the US government to
 be weapon subject to export controls.

There is a patch that is supposed to do that. I have not tried it.

https://bugs.launchpad.net/mailman/+bug/558189



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman security question

2013-05-06 Thread Stephen J. Turnbull 
Lindsay Haisley writes:

  Is there any support in any version of Mailman for total end to end
  message security?

Not in a distributed version, although as mentioned in another post
there's a patch.  There's a GSoC proposal to implement some such thing
for Mailman 3, with a reasonable UI for handling user pubkey and such,
but I can't say at this point whether that project will be approved
(Google rules).

Also, total end to end security is a fantasy.  The attack surface in
the mail system is huge, even if the messages are encrypted in
transport.  Without specifying what the ends are (workstations? 
MTAs? users?) and whether traffic analysis or a court-authorized
wiretap at the Mailman site is considered a threat, I can't help you
on whether any given system might be considered secure or not.

  It would also, in the current political climate, doubtless be deemed to
  be something close to a national security threat,

AFAIK PGP-style encryption is no longer considered munitions.  As long
as the crypto stuff is done by third-party modules, Mailman has no
problem, I think.  (We can distribute a ROT13 implementation without
bothering even a member of the Bush family, let alone sophisticated
Dems like Al Gore, The Father of the Internet as We Know It :-)

Steve
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman security question

2013-05-06 Thread Lindsay Haisley 
On Tue, 2013-05-07 at 10:40 +0900, Stephen J. Turnbull wrote:
 Lindsay Haisley writes:
 
   Is there any support in any version of Mailman for total end to end
   message security?
 
 Not in a distributed version, although as mentioned in another post
 there's a patch.  There's a GSoC proposal to implement some such thing
 for Mailman 3, with a reasonable UI for handling user pubkey and such,
 but I can't say at this point whether that project will be approved
 (Google rules).
 
 Also, total end to end security is a fantasy.  The attack surface in
 the mail system is huge, even if the messages are encrypted in
 transport.  Without specifying what the ends are (workstations? 
 MTAs? users?) and whether traffic analysis or a court-authorized
 wiretap at the Mailman site is considered a threat, I can't help you
 on whether any given system might be considered secure or not.

My thought is that total security would be MUA to MUA, with the
assumption that most MUAs can handle encryption using GnuPGP, Enigmail,
or some such.

Of course these days nothing is totally secure, since in a pinch, and
given a little time, a supercomputer can break even a 4096 bit, or
larger key.

This is, at this point, curiosity on my part rather than a need for this
capability.

   It would also, in the current political climate, doubtless be deemed to
   be something close to a national security threat,
 
 AFAIK PGP-style encryption is no longer considered munitions.  As long
 as the crypto stuff is done by third-party modules, Mailman has no
 problem, I think.  (We can distribute a ROT13 implementation without
 bothering even a member of the Bush family, let alone sophisticated
 Dems like Al Gore, The Father of the Internet as We Know It :-)

I suppose ROT13 would fall under just about everyone's radar ;)  I mean,
who would suspect 

-- 
Lindsay Haisley   | The difference between a duck is because
FMP Computer Services |one leg is both the same
512-259-1190  | - Anonymous
http://www.fmp.com|

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2/13/2011 1:58 PM, Mark Sapiro wrote:
 An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
 recently been discovered. A patch has been developed to address this
 issue. The patch is small, affects only one module and can be applied to
 a live installation without requiring a restart.
 
 In order to accommodate those who need some notice before applying such
 a patch, the patch will be posted on Friday, 18 February at about 16:00
 GMT to the same four lists to which this announcement is addressed.


The vulnerability has been assigned CVE-2011-0707.

The patch is attached as confirm_xss.patch.txt.

- -- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w
Gp0hqWatECAYyAIL7IH9dGk=
=8U6M
-END PGP SIGNATURE-
=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py  2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py  2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
 if fullname is None:
 fullname = _('emNot available/em')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 table.AddRow([_(Your confirmation is required in order to complete the
 unsubscription request from the mailing list em%(listname)s/em.  You
 are currently subscribed with
@@ -573,7 +573,7 @@
 if fullname is None:
 fullname = _('emNot available/em')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 if globally:
 globallys = _('globally')
 else:
@@ -814,7 +814,7 @@
 if username is None:
 username = _('emnot available/em')
 else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
 
 table.AddRow([_(Your membership in the %(realname)s mailing list is
 currently disabled due to excessive bounces.  Your confirmation is

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro 
On 2/18/2011 8:01 AM, Mark Sapiro wrote:
 
 The patch is attached as confirm_xss.patch.txt.
 

This list's content filtering stripped the patch's signature part. For
those who would want to verify the signature, I am resending the patch
here as a PGP MIME format message which should pass content filtering.

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py  2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py  2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
 if fullname is None:
 fullname = _('emNot available/em')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 table.AddRow([_(Your confirmation is required in order to complete the
 unsubscription request from the mailing list em%(listname)s/em.  You
 are currently subscribed with
@@ -573,7 +573,7 @@
 if fullname is None:
 fullname = _('emNot available/em')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 if globally:
 globallys = _('globally')
 else:
@@ -814,7 +814,7 @@
 if username is None:
 username = _('emnot available/em')
 else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
 
 table.AddRow([_(Your membership in the %(realname)s mailing list is
 currently disabled due to excessive bounces.  Your confirmation is



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman Security Patch Announcement

2011-02-13 Thread Mark Sapiro 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
recently been discovered. A patch has been developed to address this
issue. The patch is small, affects only one module and can be applied to
a live installation without requiring a restart.

In order to accommodate those who need some notice before applying such
a patch, the patch will be posted on Friday, 18 February at about 16:00
GMT to the same four lists to which this announcement is addressed.

- -- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFNWFQIVVuXXpU7hpMRAixMAJ9CvXBKvSkkF6JAj9qfnPVOQBOz9QCg/ASx
RKTuYnogMT0S96GqSclcXyY=
=l9sU
-END PGP SIGNATURE-
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman security patch.

2010-09-04 Thread Mark Sapiro 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I plan to release a Mailman 2.1.14 candidate release towards the end of
next week (Sept 9 or 10). This release will have enhanced XSS defenses
addressing two recently discovered vulnerabilities. Since release of the
code will potentially expose the vulnerabilities, I plan to publish a
patch against the 2.1.13 base with the fix before actually releasing the
2.1.14 candidate.

I will post the patch to the same 4 lists that this post is being sent
to in the early afternoon, GMT, on September 9.

The vulnerabilities are obscure and can only be exploited by a list
owner, but if you are concerned about them you can plan to install the
patch.

The patch is small (34 line diff), only affects two modules and doesn't
require a Mailman restart to be effective, although I would recommend a
restart as soon as convenient after applying the patch.

- -- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMgutpVVuXXpU7hpMRAsX1AJ48C0RxSpV7r9lg3J0V7OTs44ISqgCgn1wX
LZ5RkuGLo0r04eDNYOBDYpo=
=gscN
-END PGP SIGNATURE-
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman Security privacy needed examples are given below

2008-07-12 Thread jithender reddy 
Hello Mailman community 

We are using the Mailman in our office, for our internal purpose only. Which is 
meant for privacy to the office also.

where
as one day i find that same as ours i.e mailman archieve it is showing
entire mails to the outside people. If they are downloading all the
archieves and seeing them will break our privacy this came to my
existance after 2 years of time. I dont know how may are doing this.
And we are very much afraid of this.

for example same iam showing the link here

http://mail.python.org/pipermail/mailman-developers/

http://mail.python.org/mailman/listinfo

By
seeing the above link what i understood is All the groups and members
are known to others, then how i can achieve the privacy using this
mailman. This is usefull for open community by seeing the mails
interchanging the knowledge. For offices like us can we achieve the
privacy. Even the attachments in the mails are also visible to others
and sometimes the mails are consisting the Passwords also.

So if any one know the solution for this let me know so that we can get full 
benifit of this.

with regards
linuxswan




  
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] Mailman Security privacy needed examples aregiven below

2008-07-12 Thread Mark Sapiro 
jithender reddy wrote:

where
as one day i find that same as ours i.e mailman archieve it is showing
entire mails to the outside people. If they are downloading all the
archieves and seeing them will break our privacy this came to my
existance after 2 years of time. I dont know how may are doing this.
And we are very much afraid of this.

for example same iam showing the link here

http://mail.python.org/pipermail/mailman-developers/

http://mail.python.org/mailman/listinfo



If you set archive_private to private on the lists Archiving
Options page in the admin web interface, the archive will only be
available to list members who log in with their list pasword. The
archive links will be of the form
http://mail.python.org/mailman/private/mailman-developers/, and the
'pipermail' links won't work.


-- 
Mark Sapiro [EMAIL PROTECTED]The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] Mailman Security privacy needed examples aregiven below

2008-07-12 Thread Steven Stern 

Mark Sapiro wrote:

jithender reddy wrote:
  

where
as one day i find that same as ours i.e mailman archieve it is showing
entire mails to the outside people. If they are downloading all the
archieves and seeing them will break our privacy this came to my
existance after 2 years of time. I dont know how may are doing this.
And we are very much afraid of this.

for example same iam showing the link here

http://mail.python.org/pipermail/mailman-developers/

http://mail.python.org/mailman/listinfo





If you set archive_private to private on the lists Archiving
Options page in the admin web interface, the archive will only be
available to list members who log in with their list pasword. The
archive links will be of the form
http://mail.python.org/mailman/private/mailman-developers/, and the
'pipermail' links won't work.
  


It might also be a very good idea to set up an IP address restriction 
for the pipermail directory tree in httpd.conf to restrict access to 
your internal network.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] Mailman Security.

2003-02-06 Thread Keith Mastin 
Hi All, 

I was just wondering what kind of security mailman offers, as far as
protecting user passwords goes?

A techy friend of mine has just kindly emailed me a list of all users
and their passwords! Looking at my server logs it would appear that he
snuck in somehow via anonymous ftp.

Would closing the anon. ftp service stop mailman working in anyway, or
dya reckon he got in some place else?

Cheers

Dino

You have some big problems if this is what happened. Your entire system is 
insecure and ready to be (pl)ucked by anyone who has a little know-how. 
Anonymous ftp should chroot to a specific directory, and if a user can 
logon to anon-ftp and get more info then it is completely set up wrong.

Closing anon-ftp is a must-do first step. Really, you should do a full 
system audit, or preferably format and re-install with all clean user info 
(user/passwd pairs), updated *_everything_* and all programs tightened 
down to paranoid levels. Take it as a lesson in security, and don't let it 
happen again is about the best you can get out of this.

The real concern here is the passwords. They are supposed to be encrypted, 
human-unreadable except by the passwd program OR a *_sniffer_program_*. If 
you're friend was able to get them, so is just about any script-kiddie 
able to.


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-06 Thread Keith Mastin 
On Wed, 5 Feb 2003 13:47:48 +
Adam [EMAIL PROTECTED] wrote:

 On Wed, 5 Feb 2003 11:44:10 -
 dino [EMAIL PROTECTED] wrote:
 
  Actually he did it this way:
  
  Noticed that mydomain/mailman was browsable.
  
  Telneted to port 80 and sent a get request from there...ouch.
  
  Sorting that now
  
  Dino
 
 
The fact that telnet is open pretty much says everything about  this
sysadmin's approach to security. 
 
IIRC, he didn't say telnetd was open, just that a friend telnetted into 
the mailman directory via port 80(httpd) and got more than he bargained 
for.

OP: rpm -e telnetd


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman Security.

2003-02-05 Thread dino 
Hi All, 

I was just wondering what kind of security mailman offers, as far as
protecting user passwords goes?

A techy friend of mine has just kindly emailed me a list of all users
and their passwords! Looking at my server logs it would appear that he
snuck in somehow via anonymous ftp.

Would closing the anon. ftp service stop mailman working in anyway, or
dya reckon he got in some place else?

Cheers

Dino


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread John Buttery 
* dino [EMAIL PROTECTED] [2003-02-05 10:32:16 -]:
 I was just wondering what kind of security mailman offers, as far as
 protecting user passwords goes?

  Pretty much none.  It emails them cleartext once a month, for
starters.  The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!).  The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.

 A techy friend of mine has just kindly emailed me a list of all users
 and their passwords! Looking at my server logs it would appear that he
 snuck in somehow via anonymous ftp.

  Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem.  :)

 Would closing the anon. ftp service stop mailman working in anyway, or
 dya reckon he got in some place else?

  I don't see why stopping an ftpd would affect mailman... 

-- 

 John Buttery
 (Web page temporarily unavailable)


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw 

 d == dino  [EMAIL PROTECTED] writes:

d Actually he did it this way:

d Noticed that mydomain/mailman was browsable.

d Telneted to port 80 and sent a get request from there...ouch.

d Sorting that now

More details, please.  E.g. exactly what url did he get?

-Barry

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw 

 d == dino  [EMAIL PROTECTED] writes:

d I was just wondering what kind of security mailman offers, as
d far as protecting user passwords goes?

User passwords are considered a lower value asset, so while it should
not be possible for unauthorized users or list admins to get them,
they can still be transmitted in the clear (either via the monthly
reminders -- which can be turned off, or by unprotected http login).

To support the monthly reminders, user passwords are kept in the
database in cleartext.  Anyone with shell access and permissions to
the Mailman installation can get them.

d A techy friend of mine has just kindly emailed me a list of all
d users and their passwords! Looking at my server logs it would
d appear that he snuck in somehow via anonymous ftp.

This must have been a local system vulnerability.  Mailman doesn't use
ftp, anonymous or otherwise.

d Would closing the anon. ftp service stop mailman working in
d anyway, or dya reckon he got in some place else?

On your system, sure, if that's how he got in.  But this isn't an
attack inherent to Mailman, AFAIK.

-Barry

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread dino 
Well I rent a virtual server and now use SSH. But have been told that I
can't turn telnet off...sounds like rubbish to me but hey.

But I do have 99.9% shell access, so there should be a way, I am looking
into it now.

Dino

-Original Message-
From: Adam [mailto:[EMAIL PROTECTED]] 
Sent: 05 February 2003 13:48
To: [EMAIL PROTECTED]
Subject: Re: [Mailman-Users] Mailman Security.


On Wed, 5 Feb 2003 11:44:10 -
dino [EMAIL PROTECTED] wrote:

 Actually he did it this way:
 
 Noticed that mydomain/mailman was browsable.
 
 Telneted to port 80 and sent a get request from there...ouch.
 
 Sorting that now
 
 Dino


The fact that telnet is open pretty much says everything about  this
sysadmin's approach to security. 

-- 
Public Key available from www.monkeez.co.uk/public_key.asc


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw 

 A == Adam  [EMAIL PROTECTED] writes:

A The fact that telnet is open pretty much says everything about
A this sysadmin's approach to security.
 
Actually, using the telnet /client/ to connect to port 80 is a pretty
natural thing to do.  It should connect to the web server running on
port 80. (I don't know where ftp comes into the picture.)

-Barry

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch 
 -Original Message-
 From: dino
 Sent: Wednesday, February 05, 2003 6:44 AM
 
 Actually he did it this way:
 
 Noticed that mydomain/mailman was browsable.
 
 Telneted to port 80 and sent a get request from there...ouch.

Your web browser telnets to port 80 all day long.  :)

-Jim P.





--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Richard Barrett 
At 11:44 05/02/2003, dino wrote:

Actually he did it this way:

Noticed that mydomain/mailman was browsable.


What additions did you make to your server's httpd.conf to support running 
mailman

Telneted to port 80 and sent a get request from there...ouch.


In effect like every other request to your server.


Sorting that now


Re the telnet thing, there is nothing to sort as regards using a telnet 
client to connect to a HTTP server.

But, if you are saying you run a telnet server exposed to the internet on 
you server, you really should consider switching to running SSH and cease 
and desist the telnet server.

This problem is likely to be due to poor setup of your httpd.conf.

Dino

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
John Buttery
Sent: 05 February 2003 11:27
To: 'Mailman users Mailing list'
Subject: Re: [Mailman-Users] Mailman Security.


* dino [EMAIL PROTECTED] [2003-02-05 10:32:16 -]:
 I was just wondering what kind of security mailman offers, as far as
 protecting user passwords goes?

  Pretty much none.  It emails them cleartext once a month, for
starters.  The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!).  The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.
 A techy friend of mine has just kindly emailed me a list of all users
 and their passwords! Looking at my server logs it would appear that he

 snuck in somehow via anonymous ftp.


If your httpd server and httpd.conf setup is sound then it should not be 
possible to access the files storing MM's user passwords via the HTTP server.

If you've got a insecure ftp setup on your server then anything is possible 
and God or the devil will surely punish you.

  Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem.  :)

 Would closing the anon. ftp service stop mailman working in anyway, or

 dya reckon he got in some place else?

  I don't see why stopping an ftpd would affect mailman...

--

 John Buttery
 (Web page temporarily unavailable)




--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch 
 -Original Message-
 From: Adam
 Sent: Wednesday, February 05, 2003 8:49 AM

 The fact that telnet is open pretty much says everything about
 this sysadmin's approach to security.

The fact that you confused telnet host 80 with telnet host says
volumes about your sysadmin skills.  :)

People, you can use telnet to connect to any port and view the raw
connection data on that port.  See this URL for how to send email via
telnet:
  http://www.exzilla.net/docs/smtp/telnet_smtp.php


-Jim P.






--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Simone Piunno 
mercoledì, 05 febbraio 2003 alle 09:51:02, Jim Popovitch ha scritto:

 People, you can use telnet to connect to any port and view the raw
 connection data on that port.  See this URL for how to send email via

actually, telnet does NOT show you the RAW connection data (it does 
terminal emulation, intercepting control sequences).  For real raw 
data you should use netcat:

http://freshmeat.net/projects/netcat/

or, even better, nc6:

http://freshmeat.net/projects/nc6/

Regards,
Simone Piunno

-- 
This signature intentionally left blank


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch 
 -Original Message-
 From: Simone Piunno
 Sent: Wednesday, February 05, 2003 11:25 AM

 actually, telnet does NOT show you the RAW connection data (it does
 terminal emulation, intercepting control sequences).  For real raw
 data you should use netcat:


Excellent point Simone.  I should have used the term raw port data.  The
connection data is a whole different thing.  Thanks for pointing that out.

-Jim P.






--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread lhansfor 
 Actually he did it this way:

 Noticed that mydomain/mailman was browsable.

 Telneted to port 80 and sent a get request from there...ouch.

I do not have Telnet loaded on any of my systems, and I use tcp_wrappers
to tightly control which remote sites can access any sites via ftp or
secure_shell.

Every day the logwatch report show many, many sites that attempted to
access the various systems, but were rejected by tcp_wrapper.  I don't
leave any system open with the default configuration and module loads.


 Sorting that now

 Dino

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of
 John Buttery
 Sent: 05 February 2003 11:27
 To: 'Mailman users Mailing list'
 Subject: Re: [Mailman-Users] Mailman Security.


 * dino [EMAIL PROTECTED] [2003-02-05 10:32:16 -]:
 I was just wondering what kind of security mailman offers, as far as
 protecting user passwords goes?

   Pretty much none.  It emails them cleartext once a month, for
 starters.  The list signup page explicitly instructs subscribers not to
 use important passwords (even in bold!).  The intent of the password
 system in Mailman (this is my interpretation, not backed up with any
 actual information) is to protect against malicious [un]subscriptions of
 others by casual idiots on the Net, not against determined attackers.

 A techy friend of mine has just kindly emailed me a list of all users
 and their passwords! Looking at my server logs it would appear that he

 snuck in somehow via anonymous ftp.

   Then you have an incorrectly installed/configured/patched ftp server
 problem, not a mailman problem.  :)

 Would closing the anon. ftp service stop mailman working in anyway, or

 dya reckon he got in some place else?

   I don't see why stopping an ftpd would affect mailman...

 --
 
  John Buttery
  (Web page temporarily unavailable)
 

 --
 Mailman-Users mailing list
 [EMAIL PROTECTED]
 http://mail.python.org/mailman/listinfo/mailman-users
 Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
 Searchable Archives:
 http://www.mail-archive.com/mailman-users%40python.org/

 This message was sent to: [EMAIL PROTECTED]
 Unsubscribe or change your options at
 http://mail.python.org/mailman/options/mailman-users/dinouk%40orange.net


 --
 Mailman-Users mailing list
 [EMAIL PROTECTED]
 http://mail.python.org/mailman/listinfo/mailman-users
 Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
 Searchable Archives:
 http://www.mail-archive.com/mailman-users%40python.org/

 This message was sent to: [EMAIL PROTECTED]
 Unsubscribe or change your options at
 http://mail.python.org/mailman/options/mailman-users/lhansfor%40lch-assoc.com




--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org