Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Mark Sapiro 
On 01/19/2017 11:35 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 21:22, Mark Sapiro  wrote:
>>
>> Look at some of the hits from searching at
>>  for
>> global_ban_list.
>>
> 
> 
> Seen that. Usable, but not everything, given that some addresses on my list
> are well-known free mail providers.


You don't want to block entire domains. You want to use regexps that are
tailored to the attacks you are seeing. This means you can't be
proactive in blocking attacks in advance, but if you run some kind of
Mailman log summary such as the mmdsr program distributed with Mailman
in the contrib/ directory, you'll see attacks within a day of when they
start and can react. Some patterns I have used that have been effective
against past attacks are:

  '^[a-z0-9.]{8,}\+[a-z0-9]{4,}@gmail\.com$',
  '^.*k\.*e\.*m\.*o\.*m\.*a\.*r\.*t.*@gmail\.com',
  '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com',
  '^.*k\.*e\.*z\.*u\.*k\.*a\.*y\.*a.*@gmail\.com',

Also, there is a script at 
(mirrored at ) that is
described as:

Remove an address or all addresses matching a regexp from the
installation. I.e. for every list, if the address is a member, it is
removed. If there are any held posts or (un)subscription requests from
the address, they are removed too. Optionally, any subscription requests
from the address waiting user confirmation are also removed.

that can be used to remove the successful ones.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington 
On 19 January 2017 at 21:22, Mark Sapiro  wrote:

> On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> > On 19 January 2017 at 18:55, Brian Carpenter  wrote:
> >
>
> Odhiambo Washington wrote:
> >>>
> >>> Now this got me thinking: Once one has submitted a subscription request
> >> and
> >>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline
> any
> >>> further subscription requests from the same address if they decide to
> >>> submit such, and as such shouldn't send any other confirm/verification
> >>> requests as long as there is one still pending??
>
>
> Perhaps there should be a limit, but not an outright refusal because the
> original confirmation email could have been lost.
>
> In any case, I'm not interested in implementing this.
>
>
>
> >> Subscription spam which is what I think you are experiencing has been
> dealt
> >> with to a certain degree by recent versions of mailman. The following
> two
> >> functions I believe would be of assistance are:
> >>
> >> SUBSCRIBE_FORM_SECRET
> >> GLOBAL_BAN_LIST
> >>
> ...
> > So is it enough to add
> >
> > SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> >
> > to mm_cfg.py and restarting Mailman without doing any other thing??
>
>
> That is sufficient to enable that feature and it will help block robotic
> web subscribes, but there are bots now that are smart enough to mimic
> human behavior in first getting the listinfo page and then waiting
> before posting the subscribe form.
>
>
Thanks for the clarification. Now I'll just wait and see if the smart bots
are involved.



>
> > The GLOBAL_BAN_LIST is self-explanatory when I read it.
>
>
> There are various, widespread attacks of this nature, but none that I've
> seen with the addresses you're seeing. There are several threads on this
> in the archives of this list.
>
> Look at some of the hits from searching at
>  for
> global_ban_list.
>


Seen that. Usable, but not everything, given that some addresses on my list
are well-known free mail providers.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Mark Sapiro 
On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 18:55, Brian Carpenter  wrote:
>

Odhiambo Washington wrote:
>>>
>>> Now this got me thinking: Once one has submitted a subscription request
>> and
>>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
>>> further subscription requests from the same address if they decide to
>>> submit such, and as such shouldn't send any other confirm/verification
>>> requests as long as there is one still pending??


Perhaps there should be a limit, but not an outright refusal because the
original confirmation email could have been lost.

In any case, I'm not interested in implementing this.



>> Subscription spam which is what I think you are experiencing has been dealt
>> with to a certain degree by recent versions of mailman. The following two
>> functions I believe would be of assistance are:
>>
>> SUBSCRIBE_FORM_SECRET
>> GLOBAL_BAN_LIST
>>
...
> So is it enough to add
> 
> SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> 
> to mm_cfg.py and restarting Mailman without doing any other thing??


That is sufficient to enable that feature and it will help block robotic
web subscribes, but there are bots now that are smart enough to mimic
human behavior in first getting the listinfo page and then waiting
before posting the subscribe form.


> The GLOBAL_BAN_LIST is self-explanatory when I read it.


There are various, widespread attacks of this nature, but none that I've
seen with the addresses you're seeing. There are several threads on this
in the archives of this list.

Look at some of the hits from searching at
 for
global_ban_list.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington 
On 19 January 2017 at 18:55, Brian Carpenter  wrote:

> > I have a situation which is a little confusing on a server where I run
> > Mailman. The subscription model is "confirm & approve"
> >
> > When I check the MTA's queue, I find hundreds of mail destined to certain
> > addresses, and one address could have 10 or more same mail destined to
> it.
> > I cleared the queue before checking the contents of these e-mails, but I
> > assume they were those 'confirm your subscription' ones to these
> addresses,
> > because I can see the addresses in in Mailman's subscribe logfile.
> >
> > Now this got me thinking: Once one has submitted a subscription request
> and
> > Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
> > further subscription requests from the same address if they decide to
> > submit such, and as such shouldn't send any other confirm/verification
> > requests as long as there is one still pending??
> >
> > I am talking about a situation leading to a subscribe logfile like the
> one
> > at: http://bit.ly/2iFv5vi
> >
> > Might I be missing something in my list configuration???
>
> Subscription spam which is what I think you are experiencing has been dealt
> with to a certain degree by recent versions of mailman. The following two
> functions I believe would be of assistance are:
>
> SUBSCRIBE_FORM_SECRET
> GLOBAL_BAN_LIST
>
>

> There is some detail information about them in Defaults.py I believe.
>
> Brian Carpenter
> EMWD, Owner
>
> Providing Cloud Services and Mailman hosting for over 18 years.
>
>

Awesome.

So is it enough to add

SUBSCRIBE_FORM_SECRET = 'L1feSuX'

to mm_cfg.py and restarting Mailman without doing any other thing??


The GLOBAL_BAN_LIST is self-explanatory when I read it.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Brian Carpenter 
> I have a situation which is a little confusing on a server where I run
> Mailman. The subscription model is "confirm & approve"
> 
> When I check the MTA's queue, I find hundreds of mail destined to certain
> addresses, and one address could have 10 or more same mail destined to it.
> I cleared the queue before checking the contents of these e-mails, but I
> assume they were those 'confirm your subscription' ones to these
addresses,
> because I can see the addresses in in Mailman's subscribe logfile.
> 
> Now this got me thinking: Once one has submitted a subscription request
and
> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
> further subscription requests from the same address if they decide to
> submit such, and as such shouldn't send any other confirm/verification
> requests as long as there is one still pending??
> 
> I am talking about a situation leading to a subscribe logfile like the one
> at: http://bit.ly/2iFv5vi
> 
> Might I be missing something in my list configuration???

Subscription spam which is what I think you are experiencing has been dealt
with to a certain degree by recent versions of mailman. The following two
functions I believe would be of assistance are:

SUBSCRIBE_FORM_SECRET
GLOBAL_BAN_LIST

There is some detail information about them in Defaults.py I believe. 

Brian Carpenter
EMWD, Owner

Providing Cloud Services and Mailman hosting for over 18 years.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman security question

2013-05-06 Thread Lindsay Haisley 
On Tue, 2013-05-07 at 10:40 +0900, Stephen J. Turnbull wrote:
> Lindsay Haisley writes:
> 
>  > Is there any support in any version of Mailman for total end to end
>  > message security?
> 
> Not in a distributed version, although as mentioned in another post
> there's a patch.  There's a GSoC proposal to implement some such thing
> for Mailman 3, with a reasonable UI for handling user pubkey and such,
> but I can't say at this point whether that project will be approved
> (Google rules).
> 
> Also, "total end to end security" is a fantasy.  The attack surface in
> the mail system is huge, even if the messages are encrypted in
> transport.  Without specifying what the "ends" are (workstations? 
> MTAs? users?) and whether traffic analysis or a court-authorized
> "wiretap" at the Mailman site is considered a threat, I can't help you
> on whether any given system might be considered "secure" or not.

My thought is that "total security" would be MUA to MUA, with the
assumption that most MUAs can handle encryption using GnuPGP, Enigmail,
or some such.

Of course these days nothing is totally secure, since in a pinch, and
given a little time, a supercomputer can break even a 4096 bit, or
larger key.

This is, at this point, curiosity on my part rather than a need for this
capability.

>  > It would also, in the current political climate, doubtless be deemed to
>  > be something close to a national security threat,
> 
> AFAIK PGP-style encryption is no longer considered munitions.  As long
> as the crypto stuff is done by third-party modules, Mailman has no
> problem, I think.  (We can distribute a ROT13 implementation without
> bothering even a member of the Bush family, let alone sophisticated
> Dems like Al Gore, The Father of the Internet as We Know It :-)

I suppose ROT13 would fall under just about everyone's radar ;)  I mean,
who would suspect 

-- 
Lindsay Haisley   | "The difference between a duck is because
FMP Computer Services |one leg is both the same"
512-259-1190  | - Anonymous
http://www.fmp.com|

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman security question

2013-05-06 Thread Dennis Putnam 
On 5/6/2013 4:54 PM, Lindsay Haisley wrote:
> Is there any support in any version of Mailman for total end to end
> message security?  This would involve being able to send, say, a GPG (or
> PGP) encrypted post to a list, using the list's public key, having the
> list decrypt it, and then repost it to all subscribers, encrypted for
> each using their respective public keys.
>
> Granted that such a facility would be a system resources suck of an
> order of magnitude greater than a simple, unencrypted list, however I
> can see that it might well be useful in some cases.
>
> It would also, in the current political climate, doubtless be deemed to
> be something close to a national security threat, and even discussing
> the idea might attract DHS attention.  I do recall that some years ago
> that Phil Zimmerman, who invented PGP, was the subject of a criminal
> investigation since the PGP algorithm was deemed by the US government to
> be "weapon" subject to export controls.
>
There is a patch that is supposed to do that. I have not tried it.

https://bugs.launchpad.net/mailman/+bug/558189



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro 
On 2/18/2011 8:01 AM, Mark Sapiro wrote:
> 
> The patch is attached as confirm_xss.patch.txt.
> 

This list's content filtering stripped the patch's signature part. For
those who would want to verify the signature, I am resending the patch
here as a PGP MIME format message which should pass content filtering.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py  2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py  2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 table.AddRow([_("""Your confirmation is required in order to complete the
 unsubscription request from the mailing list %(listname)s.  You
 are currently subscribed with
@@ -573,7 +573,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 if globally:
 globallys = _('globally')
 else:
@@ -814,7 +814,7 @@
 if username is None:
 username = _('not available')
 else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
 
 table.AddRow([_("""Your membership in the %(realname)s mailing list is
 currently disabled due to excessive bounces.  Your confirmation is



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2/13/2011 1:58 PM, Mark Sapiro wrote:
> An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
> recently been discovered. A patch has been developed to address this
> issue. The patch is small, affects only one module and can be applied to
> a live installation without requiring a restart.
> 
> In order to accommodate those who need some notice before applying such
> a patch, the patch will be posted on Friday, 18 February at about 16:00
> GMT to the same four lists to which this announcement is addressed.


The vulnerability has been assigned CVE-2011-0707.

The patch is attached as confirm_xss.patch.txt.

- -- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w
Gp0hqWatECAYyAIL7IH9dGk=
=8U6M
-END PGP SIGNATURE-
=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py  2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py  2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 table.AddRow([_("""Your confirmation is required in order to complete the
 unsubscription request from the mailing list %(listname)s.  You
 are currently subscribed with
@@ -573,7 +573,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 if globally:
 globallys = _('globally')
 else:
@@ -814,7 +814,7 @@
 if username is None:
 username = _('not available')
 else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
 
 table.AddRow([_("""Your membership in the %(realname)s mailing list is
 currently disabled due to excessive bounces.  Your confirmation is

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security & privacy needed examples aregiven below

2008-07-12 Thread Steven Stern 

Mark Sapiro wrote:

jithender reddy wrote:
  

where
as one day i find that same as ours i.e mailman archieve it is showing
entire mails to the outside people. If they are downloading all the
archieves and seeing them will break our privacy this came to my
existance after 2 years of time. I dont know how may are doing this.
And we are very much afraid of this.

for example same iam showing the link here

http://mail.python.org/pipermail/mailman-developers/

http://mail.python.org/mailman/listinfo





If you set archive_private to "private" on the lists "Archiving
Options" page in the admin web interface, the archive will only be
available to list members who log in with their list pasword. The
archive links will be of the form
, and the
'pipermail' links won't work.
  


It might also be a very good idea to set up an IP address restriction 
for the pipermail directory tree in httpd.conf to restrict access to 
your internal network.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] Mailman Security & privacy needed examples aregiven below

2008-07-12 Thread Mark Sapiro 
jithender reddy wrote:
>
>where
>as one day i find that same as ours i.e mailman archieve it is showing
>entire mails to the outside people. If they are downloading all the
>archieves and seeing them will break our privacy this came to my
>existance after 2 years of time. I dont know how may are doing this.
>And we are very much afraid of this.
>
>for example same iam showing the link here
>
>http://mail.python.org/pipermail/mailman-developers/
>
>http://mail.python.org/mailman/listinfo
>


If you set archive_private to "private" on the lists "Archiving
Options" page in the admin web interface, the archive will only be
available to list members who log in with their list pasword. The
archive links will be of the form
, and the
'pipermail' links won't work.


-- 
Mark Sapiro <[EMAIL PROTECTED]>The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] Mailman Security.

2003-02-06 Thread Keith Mastin 
>On Wed, 5 Feb 2003 13:47:48 +
>Adam <[EMAIL PROTECTED]> wrote:
>
>> On Wed, 5 Feb 2003 11:44:10 -
>> "dino" <[EMAIL PROTECTED]> wrote:
>> 
>> > Actually he did it this way:
>> > 
>> > Noticed that mydomain/mailman was browsable.
>> > 
>> > Telneted to port 80 and sent a get request from there...ouch.
>> > 
>> > Sorting that now
>> > 
>> > Dino
>> >
>> 
>The fact that telnet is open pretty much says everything about  this
>sysadmin's approach to security. 
> 
IIRC, he didn't say telnetd was open, just that a friend telnetted into 
the mailman directory via port 80(httpd) and got more than he bargained 
for.

OP: rpm -e telnetd


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-06 Thread Keith Mastin 
>Hi All, 
>
>I was just wondering what kind of security mailman offers, as far as
>protecting user passwords goes?
>
>A techy friend of mine has just kindly emailed me a list of all users
>and their passwords! Looking at my server logs it would appear that he
>snuck in somehow via anonymous ftp.
>
>Would closing the anon. ftp service stop mailman working in anyway, or
>dya reckon he got in some place else?
>
>Cheers
>
>Dino

You have some big problems if this is what happened. Your entire system is 
insecure and ready to be (pl)ucked by anyone who has a little know-how. 
Anonymous ftp should chroot to a specific directory, and if a user can 
logon to anon-ftp and get more info then it is completely set up wrong.

Closing anon-ftp is a must-do first step. Really, you should do a full 
system audit, or preferably format and re-install with all clean user info 
(user/passwd pairs), updated *_everything_* and all programs tightened 
down to paranoid levels. Take it as a lesson in security, and don't let it 
happen again is about the best you can get out of this.

The real concern here is the passwords. They are supposed to be encrypted, 
human-unreadable except by the passwd program OR a *_sniffer_program_*. If 
you're friend was able to get them, so is just about any script-kiddie 
able to.


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread lhansfor 
> Actually he did it this way:
>
> Noticed that mydomain/mailman was browsable.
>
> Telneted to port 80 and sent a get request from there...ouch.

I do not have Telnet loaded on any of my systems, and I use tcp_wrappers
to tightly control which remote sites can access any sites via ftp or
secure_shell.

Every day the logwatch report show many, many sites that attempted to
access the various systems, but were rejected by tcp_wrapper.  I don't
leave any system open with the default configuration and module loads.

>
> Sorting that now
>
> Dino
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
> John Buttery
> Sent: 05 February 2003 11:27
> To: 'Mailman users Mailing list'
> Subject: Re: [Mailman-Users] Mailman Security.
>
>
> * dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -]:
>> I was just wondering what kind of security mailman offers, as far as
>> protecting user passwords goes?
>
>   Pretty much none.  It emails them cleartext once a month, for
> starters.  The list signup page explicitly instructs subscribers not to
> use important passwords (even in bold!).  The intent of the password
> system in Mailman (this is my interpretation, not backed up with any
> actual information) is to protect against malicious [un]subscriptions of
> others by casual idiots on the Net, not against determined attackers.
>
>> A techy friend of mine has just kindly emailed me a list of all users
>> and their passwords! Looking at my server logs it would appear that he
>
>> snuck in somehow via anonymous ftp.
>
>   Then you have an incorrectly installed/configured/patched ftp server
> problem, not a mailman problem.  :)
>
>> Would closing the anon. ftp service stop mailman working in anyway, or
>
>> dya reckon he got in some place else?
>
>   I don't see why stopping an ftpd would affect mailman...
>
> --
> 
>  John Buttery
>  (Web page temporarily unavailable)
> 
>
> --
> Mailman-Users mailing list
> [EMAIL PROTECTED]
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
>
> This message was sent to: [EMAIL PROTECTED]
> Unsubscribe or change your options at
> http://mail.python.org/mailman/options/mailman-users/dinouk%40orange.net
>
>
> --
> Mailman-Users mailing list
> [EMAIL PROTECTED]
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
>
> This message was sent to: [EMAIL PROTECTED]
> Unsubscribe or change your options at
> http://mail.python.org/mailman/options/mailman-users/lhansfor%40lch-assoc.com




--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch 
> -Original Message-
> From: Simone Piunno
> Sent: Wednesday, February 05, 2003 11:25 AM
>
> actually, telnet does NOT show you the RAW connection data (it does
> terminal emulation, intercepting control sequences).  For real raw
> data you should use netcat:
>

Excellent point Simone.  I should have used the term raw port data.  The
connection data is a whole different thing.  Thanks for pointing that out.

-Jim P.






--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Simone Piunno 
mercoledì, 05 febbraio 2003 alle 09:51:02, Jim Popovitch ha scritto:

> People, you can use telnet to connect to any port and view the raw
> connection data on that port.  See this URL for how to send email via

actually, telnet does NOT show you the RAW connection data (it does 
terminal emulation, intercepting control sequences).  For real raw 
data you should use netcat:

http://freshmeat.net/projects/netcat/

or, even better, nc6:

http://freshmeat.net/projects/nc6/

Regards,
Simone Piunno

-- 
This signature intentionally left blank


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch 
> -Original Message-
> From: Adam
> Sent: Wednesday, February 05, 2003 8:49 AM
>
> The fact that telnet is open pretty much says everything about
> this sysadmin's approach to security.

The fact that you confused "telnet  80" with "telnet " says
volumes about your sysadmin skills.  :)

People, you can use telnet to connect to any port and view the raw
connection data on that port.  See this URL for how to send email via
telnet:
  http://www.exzilla.net/docs/smtp/telnet_smtp.php


-Jim P.






--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Richard Barrett 
At 11:44 05/02/2003, dino wrote:

Actually he did it this way:

Noticed that mydomain/mailman was browsable.


What additions did you make to your server's httpd.conf to support running 
mailman

Telneted to port 80 and sent a get request from there...ouch.


In effect like every other request to your server.


Sorting that now


Re the telnet thing, there is nothing to sort as regards using a telnet 
client to connect to a HTTP server.

But, if you are saying you run a telnet server exposed to the internet on 
you server, you really should consider switching to running SSH and cease 
and desist the telnet server.

This problem is likely to be due to poor setup of your httpd.conf.

Dino

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
John Buttery
Sent: 05 February 2003 11:27
To: 'Mailman users Mailing list'
Subject: Re: [Mailman-Users] Mailman Security.


* dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -]:
> I was just wondering what kind of security mailman offers, as far as
> protecting user passwords goes?

  Pretty much none.  It emails them cleartext once a month, for
starters.  The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!).  The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.
> A techy friend of mine has just kindly emailed me a list of all users
> and their passwords! Looking at my server logs it would appear that he

> snuck in somehow via anonymous ftp.


If your httpd server and httpd.conf setup is sound then it should not be 
possible to access the files storing MM's user passwords via the HTTP server.

If you've got a insecure ftp setup on your server then anything is possible 
and God or the devil will surely punish you.

  Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem.  :)

> Would closing the anon. ftp service stop mailman working in anyway, or

> dya reckon he got in some place else?

  I don't see why stopping an ftpd would affect mailman...

--

 John Buttery
 (Web page temporarily unavailable)




--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch 
> -Original Message-
> From: dino
> Sent: Wednesday, February 05, 2003 6:44 AM
> 
> Actually he did it this way:
> 
> Noticed that mydomain/mailman was browsable.
> 
> Telneted to port 80 and sent a get request from there...ouch.

Your web browser "telnets" to port 80 all day long.  :)

-Jim P.





--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw 

> "A" == Adam  <[EMAIL PROTECTED]> writes:

A> The fact that telnet is open pretty much says everything about
A> this sysadmin's approach to security.
 
Actually, using the telnet /client/ to connect to port 80 is a pretty
natural thing to do.  It should connect to the web server running on
port 80. (I don't know where ftp comes into the picture.)

-Barry

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread dino 
Well I rent a virtual server and now use SSH. But have been told that I
can't turn telnet off...sounds like rubbish to me but hey.

But I do have 99.9% shell access, so there should be a way, I am looking
into it now.

Dino

-Original Message-
From: Adam [mailto:[EMAIL PROTECTED]] 
Sent: 05 February 2003 13:48
To: [EMAIL PROTECTED]
Subject: Re: [Mailman-Users] Mailman Security.


On Wed, 5 Feb 2003 11:44:10 -
"dino" <[EMAIL PROTECTED]> wrote:

> Actually he did it this way:
> 
> Noticed that mydomain/mailman was browsable.
> 
> Telneted to port 80 and sent a get request from there...ouch.
> 
> Sorting that now
> 
> Dino
>

The fact that telnet is open pretty much says everything about  this
sysadmin's approach to security. 

-- 
Public Key available from www.monkeez.co.uk/public_key.asc


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw 

> "d" == dino  <[EMAIL PROTECTED]> writes:

d> I was just wondering what kind of security mailman offers, as
d> far as protecting user passwords goes?

User passwords are considered a lower value asset, so while it should
not be possible for unauthorized users or list admins to get them,
they can still be transmitted in the clear (either via the monthly
reminders -- which can be turned off, or by unprotected http login).

To support the monthly reminders, user passwords are kept in the
database in cleartext.  Anyone with shell access and permissions to
the Mailman installation can get them.

d> A techy friend of mine has just kindly emailed me a list of all
d> users and their passwords! Looking at my server logs it would
d> appear that he snuck in somehow via anonymous ftp.

This must have been a local system vulnerability.  Mailman doesn't use
ftp, anonymous or otherwise.

d> Would closing the anon. ftp service stop mailman working in
d> anyway, or dya reckon he got in some place else?

On your system, sure, if that's how he got in.  But this isn't an
attack inherent to Mailman, AFAIK.

-Barry

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw 

> "d" == dino  <[EMAIL PROTECTED]> writes:

d> Actually he did it this way:

d> Noticed that mydomain/mailman was browsable.

d> Telneted to port 80 and sent a get request from there...ouch.

d> Sorting that now

More details, please.  E.g. exactly what url did he get?

-Barry

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Adam 
On Wed, 5 Feb 2003 13:47:48 +
Adam <[EMAIL PROTECTED]> wrote:

> On Wed, 5 Feb 2003 11:44:10 -
> "dino" <[EMAIL PROTECTED]> wrote:
> 
> > Actually he did it this way:
> > 
> > Noticed that mydomain/mailman was browsable.
> > 
> > Telneted to port 80 and sent a get request from there...ouch.
> > 
> > Sorting that now
> > 
> > Dino
> >
> 
The fact that telnet is open pretty much says everything about  this
sysadmin's approach to security. 
 
-- 
Public Key available from www.monkeez.co.uk/public_key.asc

--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread dino 
Actually he did it this way:

Noticed that mydomain/mailman was browsable.

Telneted to port 80 and sent a get request from there...ouch.

Sorting that now

Dino

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
John Buttery
Sent: 05 February 2003 11:27
To: 'Mailman users Mailing list'
Subject: Re: [Mailman-Users] Mailman Security.


* dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -]:
> I was just wondering what kind of security mailman offers, as far as 
> protecting user passwords goes?

  Pretty much none.  It emails them cleartext once a month, for
starters.  The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!).  The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.

> A techy friend of mine has just kindly emailed me a list of all users 
> and their passwords! Looking at my server logs it would appear that he

> snuck in somehow via anonymous ftp.

  Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem.  :)

> Would closing the anon. ftp service stop mailman working in anyway, or

> dya reckon he got in some place else?

  I don't see why stopping an ftpd would affect mailman... 

-- 

 John Buttery
 (Web page temporarily unavailable)


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: [EMAIL PROTECTED]
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/dinouk%40orange.net


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread John Buttery 
* dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -]:
> I was just wondering what kind of security mailman offers, as far as
> protecting user passwords goes?

  Pretty much none.  It emails them cleartext once a month, for
starters.  The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!).  The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.

> A techy friend of mine has just kindly emailed me a list of all users
> and their passwords! Looking at my server logs it would appear that he
> snuck in somehow via anonymous ftp.

  Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem.  :)

> Would closing the anon. ftp service stop mailman working in anyway, or
> dya reckon he got in some place else?

  I don't see why stopping an ftpd would affect mailman... 

-- 

 John Buttery
 (Web page temporarily unavailable)


--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org