[Mailman-Users] bounce back attacks on users via mailman 2 web interface

2022-10-01 Thread Michael Richardson 
For the past few months my mailman (2) installation with a dozen lists on it 
has been convinced to email bomb various random people out there from the 
list-bounces@ address.
I have daily cron jobs that clean this junk out of my postfix queue, as most 
destinations rate limit me.  It's not helping my email reputation at all :-(
At first I thought that this was some kind of email amplication attack.  After 
some puzzling, I realized that these were subscribe attempts coming in through 
the web interface.
Sigh.  An upgrade to mailman 3 has been in the works for awhile, but it's one 
of those things best done on a really rainy November when there is nothing else 
you can do.

Are there easy ways to add a CAPTCHA to these old mailman 2 pages?
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: bounce back attacks on users via mailman 2 web interface

2022-10-01 Thread Mark Sapiro 

On 10/1/22 12:50, Michael Richardson wrote:


Are there easy ways to add a CAPTCHA to these old mailman 2 pages?


See the NEWS items at 
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L163, 
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L381 
and 
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L1352


--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: AT&T Blocking (was AOL list member not receiving list traffic)

2022-10-01 Thread Barry S. Finkel 

On 9/10/2022 8:37 AM, Julian H. Stacey wrote:

No known instances of members reporting us as spam.


Un-realised reports are worse, where you only later discover your
domain name or an IP number has been falsely listed.

I searched for a tool to periodically run, to automatically scan
with a list of RBL providers, whether any RBL has silently listed
your domain names or numbers:
http://www.anti-abuse.org/multi-rbl-check/
https://mxtoolbox.com/blacklists.aspx
https://rspamd.com/doc/modules/rbl.html
Any recommendations ?

Opinion:
   Bad enough that some commercial companies profit by dumping their
   admin problems on the innocent far end.  Worse that the far end
   may be an unpaid organisation, so companies steal time from
   volunteer admins.  Worst are fake RBL lists, criminal libelling
   for profit http://berklix.org/~jhs/mail/sorbs/
   
   I have list members who admitted incompetence to unsubscribe

   majordomo, less with mailman.  Worse were the lazy who refused
   to learn, demanding to waste volunteer admin time for manual help.
   Procmail rules discarded their noise.  Worst were malicious faked
   reports to black listers.

Cheers,



I do not have the entire thread here, but I have had an experience with
at&t.  My e-mail address is @att.net, and I login to the web a few times
a month - once to see my bill, and maybe two times to look at my spam
folder.  More than half of the time, the web site does not accept my
password, and I cannot use the "change password" link.  So I call
the 800 support number and get a new temporary password.  I am assuming
that one or more persons is/are trying to login to my account, and thus
my account is getting "frozen".  Last Saturday night it happened, and I
called support.  I was told that they could not give me a new password
over the phone; they would have to put a temporary password in the USPS
mail.  This is a new policy that started a few days before mu call.
The support person to whom I talked said that at&t was trying to
block IP addresses from where these login attempts are coming.  I have
no idea if this is related to the problem that started this thread.

--Barry Finkel
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/