Re: [Mailman-Users] How to blocking malicious subscription requests?
- Original Message - > From: "Mark Sapiro" > On 09/05/2017 09:45 AM, Grant Taylor via Mailman-Users wrote: >> >> Is Mailman aware of user+detail? Or does is it naively view the entire >> userpart as distinct? Thus allowing as many many subscriptions using >> detail as possible? >> >> I know of at least one very major mail provider (possibly the same one) >> that removes dots from the user part. So the following addresses are >> equivalent. > > > Mailman 2.1.x considers all these to be different users. E.g. > > j...@example.com > joe+mm_l...@example.com > joe+ot...@example.com > j...@example.com > > are four distinct users as far as Mailman is concerned. And, albeit arguably, I think that's the correct behavior. Plushacking is a hack specifically to make recipient filtering easier and more reliable; since you cant expect outsiders to assume it, you have to yourself treat it as separate mailboxes, and assume they will as well. As mailman does. It is, in short, a way to create additional recipient mailboxes when the user in question doesn't have administrative permission to do that; assuming the user's receiving MUA will do the right thing -- but that's the only computer it requires you to make an assumption about. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to blocking malicious subscription requests?
On 09/05/2017 09:45 AM, Grant Taylor via Mailman-Users wrote: > > Is Mailman aware of user+detail? Or does is it naively view the entire > userpart as distinct? Thus allowing as many many subscriptions using > detail as possible? > > I know of at least one very major mail provider (possibly the same one) > that removes dots from the user part. So the following addresses are > equivalent. Mailman 2.1.x considers all these to be different users. E.g. j...@example.com joe+mm_l...@example.com joe+ot...@example.com j...@example.com are four distinct users as far as Mailman is concerned. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to blocking malicious subscription requests?
On 09/05/2017 08:55 AM, Ian Kelling wrote: There is at least one very major mail provider where joe+any_string@domain goes to the inbox of joe by default, Is Mailman aware of user+detail? Or does is it naively view the entire userpart as distinct? Thus allowing as many many subscriptions using detail as possible? I know of at least one very major mail provider (possibly the same one) that removes dots from the user part. So the following addresses are equivalent. u.s@example.net u...@example.net us...@example.net ... The same type of thing could be exploited without user+detail. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to blocking malicious subscription requests?
On 05-Sep-17 10:55, Ian Kelling wrote: > There is at least one very major mail provider where > joe+any_string@domain goes to the inbox of joe by default, allowing bad > people to get my mailman instance to send many subscription mails to > joe+random_string@domain, messing up joe's inbox, because mailman just > sees different addresses. Can mailman stop doing this? If not, I'm open > to an exim rule to block or at least rate limit mailman from doing this > too. This is correct behavior by both the mail service provider and by mailman. The way to address the anti-social behavior described is to implement a captcha, which will effectively rate-limit subscription requests by bad actors - usually to close to zero. This has been discussed recently on this list. > Also, is there a way to rate limit subscription requests even for the > exact same email address? For example, don't allow someone to subscribe > to list b if they have > 5 unconfirmed subscription requests in the last > day? I don't think so, but others more expert may respond. If not, it seems like a reasonable feature request for MM3. But a captcha will probably have the effect that you want. I use reCAPTCHA (now hosted by Google). It seems to stay ahead of the captcha-solver bots most of the time. It's important to choose one that is accessible to people with disabilities. > -- > Ian Kelling | Senior Systems Administrator, Free Software Foundation > GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF > https://fsf.org | https://gnu.org > -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to blocking malicious subscription requests?
On 9/5/2017 9:55 AM, Ian Kelling wrote: There is at least one very major mail provider where joe+any_string@domain goes to the inbox of joe by default, allowing bad people to get my mailman instance to send many subscription mails to joe+random_string@domain, messing up joe's inbox, because mailman just sees different addresses. Can mailman stop doing this? If not, I'm open to an exim rule to block or at least rate limit mailman from doing this too. You can use BAN_LIST on a list by list basis or GLOBAL_BAN_LIST in the config (in MM 2.1.21). My observation about the attack is that they are doing a GET on the subscribe page to retrieve the hidden sub_form_token form field value and then doing a post to do the subscribe. I modified the source for my install of MM to change the hidden field name. I've had no successful or unsuccessful subscribe attempts since. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net. My goal is $6000 but any amount is appreciated. You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org