[Mailman-Users] Re: Subscription Attacks

2025-06-28 Thread David Andrews via Mailman-Users 

At 12:38 PM 6/28/2025, Mark Sapiro wrote:

On 6/28/25 09:46, David Andrews via Mailman-Users wrote:
There is stuff about the "secret form?" would 
this work?  If I understand it, the IP must 
match. Then there is stuff about the life of 
the form?  Do both conditions have to be 
true.? Many of our users do not return a form 
quickly, they are not that good with their 
assistive technology!  The writing suggests 
five seconds, that would never work for us.



In mm_cfg.py, set

SUBSCRIBE_FORM_SECRET = 'some phrase'

where some phrase is anything you want that 
isn't obvious. This places a hidden token in the 
subscribe form which is a hash of the phrase, 
the current time and the IP that requested the 
form which has to validate when the form is submitted.


Then set

SUBSCRIBE_FORM_MIN_TIME = seconds(number)

where is number is a number of seconds. You 
misunderstand this. It doesn't say the form has 
to be submitted within that time. It says the 
form can't be submitted within that time. I.e., 
you have to wait at least that long before submitting the form.


This is not perfect, but the intent is to 
require first getting the form and then delaying 
a bit to fill it out before submitting it to 
prevent bots from submitting a canned form or 
getting the form and replying immediately.


This may help.



Thanks!!!

Dave




--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

-- 
Mailman-Users mailing list -- 
mailman-users@python.org To unsubscribe send an 
email to mailman-users-le...@python.org 
https://mail.python.org/mailman3/lists/mailman-users.python.org/ 
Mailman FAQ: http://wiki.list.org/x/AgA3 
Security Policy: http://wiki.list.org/x/QIA9 
Searchable Archives: 
https://www.mail-archive.com/mailman-users@python.org/ 
https://mail.python.org/archives/list/mailman-users@python.org/ 
Member address: dandrews...@comcast.net 


--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@mail-archive.com

[Mailman-Users] Encoding issues on 2.1.39

2025-06-28 Thread Gabriele Carioli via Mailman-Users 
I've recently upgraded an ancient 2.1.12 mailman installation to 2.1.39 and 
noticed an encoding issue, when adding users via add_members.

Steps to reproduce and fix the issue:

1. Put these accented user names in an utf-8 file (users-utf-8.txt):
Těst Accénti 
Mariò Rosśi 

2. Set un a dummy list "dummylist" with it(alian) and en(glish) as languages

3. Set italian as main language

4. remove_members --all -n -N dummylist

5. add_members -a n -w n -r users-utf-8.txt  dummylist
You will see garbage and encoding problems in the output, which you will see 
also on the web interface.

6. Switch the main language to en(glish).

7. Repeat 4&5: no garbage

8. I've edited /usr/lib/mailman/messages/it/LC_MESSAGES/mailman.po, setting
"Content-Type: text/plain; charset=UTF-8\n"
and saved it as utf-8. Then I've recompiled mailman.mo from the modified 
mailman.po

9. Switch the main language to it(alian).

10. Repeat 4&5: no garbage


Not sure it this might affect also other languages.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

[Mailman-Users] Subscription Attacks

2025-06-28 Thread David Andrews via Mailman-Users 
My system is undergoing a subscription attack. This made the mail 
queue grow alarmingly, and because the software is trying to respond 
to bad addresses, it has caused Microsoft to block us completely and 
they refuse to remove the block right now.


We are taking steps to improve situation, have adjusted Exim so it 
doesn't retry mails so often, MS objected to volume and irregularity 
of mail from us. We are also looking at setting hourly rates, 
although not sure where to set them


Captchas aren't a good solution as we have many thousands of blind, 
and deaf-blind users.


There is stuff about the "secret form?" would this work?  If I 
understand it, the IP must match. Then there is stuff about the life 
of the form?  Do both conditions have to be true.? Many of our users 
do not return a form quickly, they are not that good with their 
assistive technology!  The writing suggests five seconds, that would 
never work for us.


Are there other things we can do to get us out of this mess?

Thanks in advance!

Dave

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

[Mailman-Users] Re: Subscription Attacks

2025-06-28 Thread Mark Sapiro 

On 6/28/25 09:46, David Andrews via Mailman-Users wrote:


There is stuff about the "secret form?" would this work?  If I 
understand it, the IP must match. Then there is stuff about the life of 
the form?  Do both conditions have to be true.? Many of our users do not 
return a form quickly, they are not that good with their assistive 
technology!  The writing suggests five seconds, that would never work 
for us.



In mm_cfg.py, set

SUBSCRIBE_FORM_SECRET = 'some phrase'

where some phrase is anything you want that isn't obvious. This places a 
hidden token in the subscribe form which is a hash of the phrase, the 
current time and the IP that requested the form which has to validate 
when the form is submitted.


Then set

SUBSCRIBE_FORM_MIN_TIME = seconds(number)

where is number is a number of seconds. You misunderstand this. It 
doesn't say the form has to be submitted within that time. It says the 
form can't be submitted within that time. I.e., you have to wait at 
least that long before submitting the form.


This is not perfect, but the intent is to require first getting the form 
and then delaying a bit to fill it out before submitting it to prevent 
bots from submitting a canned form or getting the form and replying 
immediately.


This may help.

--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

[Mailman-Users] Re: Encoding issues on 2.1.39

2025-06-28 Thread Mark Sapiro 

On 6/27/25 06:09, Gabriele Carioli via Mailman-Users wrote:

I've recently upgraded an ancient 2.1.12 mailman installation to 2.1.39 and 
noticed an encoding issue, when adding users via add_members.

Steps to reproduce and fix the issue:

1. Put these accented user names in an utf-8 file (users-utf-8.txt):
Těst Accénti 
Mariò Rosśi 

2. Set un a dummy list "dummylist" with it(alian) and en(glish) as languages

3. Set italian as main language

4. remove_members --all -n -N dummylist

5. add_members -a n -w n -r users-utf-8.txt  dummylist
You will see garbage and encoding problems in the output, which you will see 
also on the web interface.


The Default charset for Italian in Mailman 2.1 is iso-8859-1, not utf-8. 
The issue is your utf-8 encoded accented letters are being interpreted 
as iso-8859-1. Thus when the utf-8 encoded


Těst Accénti 
Mariò Rosśi 

is decoded as iso-8859-1, it looks something like

TÄ<9b>st Accénti 
Mariò RosÅ<9b>i 

You can change the encoding for Italian from iso-8859-1 to utf-8, but in 
addition to recoding the message catalog as you have done, you also have 
to add


add_language('it', _('Italian'), 'utf-8', 'ltr')

to mm_cfg.py. Also, if you have any iso-8859-1 strings in the list's 
configuration, you have to recode those. There is a script at 
https://www.msapiro.net/scripts/recode_list that can do that.


Possibly you had already done some or all of this in your 2.1.12 
installation before upgrading.


--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org