[Mailman-Users] Bad email for requests or subscription attempts possible

[Bader, Robert (Bob)]

I think I have a situation where someone is sending email to one of my lists 
request address ie 
(lista-reque...@domain.com) from an invalid 
email address (maybe spoofing the sending address). Or they may be able to 
trying to subscribe and entering an invalid email address on the wbesite.

So what happens is the list admins gets a bunch of bounces.  What is the best 
way to stop this?  If I add an email to the ban section for a list, will 
mailman drop any email or requests from them if they are spoofing as a sender 
or trying to subscribe?





--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Bad email for requests or subscription attempts possible

[Jon Baron]

I may have a somewhat different problem, but I was getting subscription
attempts (to Mailman 2) through the web site from addresses that didn't
exist. I was worried about too much "backscatter" ruining our "reputation"
on services that prevent users from deciding what isn't spam.

I tried one of the recommended modifications, which was to add to
/etc/mailman/mm_cfg.py the simplest possible test to the web site, to
prevent "bots" from trying to sign up, which came from Defaults.py:

SUBSCRIBE_FORM_SECRET = ""
SUBSCRIBE_FORM_MIN_TIME = seconds(10)
CAPTCHAS = {
  'en': [
('What is two times six?', '(12|twelve)'),
  ],
}

I'm not sure that the first line did any good, but the second one seems to
have worked like a charm. The problem completely went away. There are
fancier solutions in Defaults.py, but this one worked for me.

HOWEVER, I also had to edit
/var/lib/mailman/lists/jdm-society/en/listinfo.html
to add the line

just before the row with "Your name".

Jon

On 04/14/21 21:15, Bader, Robert (Bob) wrote:
> I think I have a situation where someone is sending email to one of my lists 
> request address ie 
> (lista-reque...@domain.com) from an invalid 
> email address (maybe spoofing the sending address). Or they may be able to 
> trying to subscribe and entering an invalid email address on the wbesite.
> 
> So what happens is the list admins gets a bunch of bounces.  What is the best 
> way to stop this?  If I add an email to the ban section for a list, will 
> mailman drop any email or requests from them if they are spoofing as a sender 
> or trying to subscribe?

-- 
Jonathan Baron, Professor of Psychology, University of Pennsylvania
Home page: https://www.sas.upenn.edu/~baron
Editor: Judgment and Decision Making (http://journal.sjdm.org)
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Moving from HTTP to HTTPS, or You'd think a core dev ...

[Stephen J. Turnbull]

Hi all,

This is a little embarrassing, but I thought y'all might deserve a
heads-up.  Note, this is not a bug, except in my brain.  And maybe
yours but probably not ;-).

A couple years ago I converted my Mailman 2 site from HTTP to HTTPS.
The site is visible externally to my university, thus HTTPS, but
almost entirely used for announcements, which partly explains how I
missed this (more on that later).  I tried to release a held message
from the moderation page, and this failed repeatedly.  Eventually I
realized that I wasn't getting a response page at all.  I'm guessing
that what happened is this:

1.  I added a virtual host on :443 in my Apache server config to
accept Mailman requests via HTTPS (the rest of the URLs are the
same).
2.  I added a global redirect rule that returns a redirect of every
HTTP request as an https: URL.
3.  The request for moderation action gets redirected, invalidating
the CSRF cookie.
4.  The redirected request has an invalid cookie, which gets ignored,
and it is discarded.

The fix is obvious: run bin/fix_url.py on all my lists.

You're allowed to laugh now, but try to not scare the fish. :-)

How I missed this, and you might too: because these are announcement
list configured to my normal usage, there's very little in the way of
web interaction on the moderation side, but list configuration works,
so I didn't notice it there.  (I caught it this time because I got
moderated due to a very large post.)  I don't understand why
moderation fails but list configuration works in my configuration (the
list configuration pages also have CSRF cookies).

If you care, ask and I'll figure it out.  I probably should figure it
out since it suggests that some CSRF cookies may persist for more than
one request, or Mailman may somehow reissue the CSRF cookie in some
circumstances.  Explanations that save me the effort appreciated! ;-)

Steve

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Bad email for requests or subscription attempts possible

[Stephen J. Turnbull]

Bader, Robert (Bob) writes:

 > I think I have a situation where someone is sending email to one of
 > my lists request address ie
 > (lista-reque...@domain.com) from
 > an invalid email address (maybe spoofing the sending address). Or
 > they may be able to trying to subscribe and entering an invalid
 > email address on the wbesite.
 > 
 > So what happens is the list admins gets a bunch of bounces.  What
 > is the best way to stop this?

I'm sorry, but dealing with the first one is what list admins are for.
Sorting these things out requires human intelligence.  Banning helps,
though:

 > If I add an email to the ban section for a list, will mailman drop
 > any email or requests from them if they are spoofing as a sender or
 > trying to subscribe?

I'm not sure what you're asking, so let me go into perhaps more detail
than you want.  Bottom Line Up Front: Banning such addresses will make
your life better.  I'm pretty sure it does what you want (except it
can't filter out the *first* obnoxious attempt :-( ).

1.  Mailman does not check for spoofing.  In theory, the best that can
be done is to check for From alignment of the domain in From with
a DKIM signature, but there's no reasonable way to do it for web
subscriptions.  Worse, using DKIM to authenticate subscription or
posting addresses is likely to cause more problems than it solves
because users are very commonly posting or accessing the web from
somewhere other than their nominal domain.

2.  In principle, attempts to subscribe or post from a banned email
address are discarded with extreme prejudice.  For posting, you'd
have to ask Mark about how this interacts with situations where
some of the envelope sender, Sender field, and From field are
*not* the banned address.

HTH

Steve

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Bad email for requests or subscription attempts possible

[Mark Sapiro]

On 4/14/21 2:15 PM, Bader, Robert (Bob) wrote:
> I think I have a situation where someone is sending email to one of my lists 
> request address ie 
> (lista-reque...@domain.com) from an invalid 
> email address (maybe spoofing the sending address). Or they may be able to 
> trying to subscribe and entering an invalid email address on the wbesite.
> 
> So what happens is the list admins gets a bunch of bounces.  What is the best 
> way to stop this?  If I add an email to the ban section for a list, will 
> mailman drop any email or requests from them if they are spoofing as a sender 
> or trying to subscribe?


If you know the address and ban it, that will stop bounces of
confirmation requests from the web subscribe CGI as the 'address is
banned' response is sent back to the web browser. Also, Jon Baron's
advice will help with web subscribes when you don't know what address or
regexp to ban.

However, in the less likely bounces of replies to mail to the
list-request address case, there's not much Mailman can do. Banning
won't help as there will still be an email back to the address saying
it's banned.  Also, any kind of header filtering won't help as that's
only for posts and mail to list-owner.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/