Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
Can this be applied to any 2.1 release? I am running 2.1 at the moment. Thanks. > Until Mailman 2.1.6 is released, the longer term fix is to apply this > patch: > > http://www.list.org/CAN-2005-0202.txt -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
OK, thanks. With no modifications it did not apply, but I can probably get it to work. It shouldn't cause any issues w/ 2.1 should it? Thanks. Quoting Ralf Hildebrandt <[EMAIL PROTECTED]>: * AJ <[EMAIL PROTECTED]>: Can this be applied to any 2.1 release? I am running 2.1 at the moment. The patch is very small, so I'd think yes. -- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5
Patch seems ok on 2.1. Is there a way to test if it's working and we are protected? Maybe someone can respond offlist with a test URL of some kind that would trigger a log in the mischief log. Thanks. On Feb 10, 2005, at 8:17 AM, [EMAIL PROTECTED] wrote: Am I correct in assuming the attack only allows hackers to access (read) files? Yes, I understand that if they can read/get mailman passwords, they can obviously change lists but nothing more nefarious than that? they can not only get the passwords, but your subscriber lists. that is, I think, nefarious enough. it means you're one spambot away from handing over all your users to the blackhats. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5
How can we test that the patch is working? Is there a way to cause the log message to be written to the mischief log? Just want to make sure the patch is working, any help would be great. Thanks. On Feb 10, 2005, at 8:17 AM, [EMAIL PROTECTED] wrote: Am I correct in assuming the attack only allows hackers to access (read) files? Yes, I understand that if they can read/get mailman passwords, they can obviously change lists but nothing more nefarious than that? they can not only get the passwords, but your subscriber lists. that is, I think, nefarious enough. it means you're one spambot away from handing over all your users to the blackhats. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5
This also stripped it down for me. I do not see any logs in error or mischief. How can I get it to actually log the attempt so I know this is working. Thanks. Quoting Tokio Kikuchi <[EMAIL PROTECTED]>: AJ wrote: How can we test that the patch is working? Is there a way to cause the log message to be written to the mischief log? Just want to make sure the patch is working, any help would be great. Principally, add /../ in your browser's url box after authenticate yourself for the private archive page: http://your.host/mailman/private/yourlist/../ But my browser is clever enough to strip this to http://your.host/mailman/private/ :-< Note that this is not an exploit. You will find other malicious attempts in logs/error. -- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Problem with list_lists
Hi, I am having an issue with the list_lists command, as well as the listinfo CGI. Also, when running the check_db script, it starts to go through the lists, then stops with the same error below after about 6 lists. My question is that something seems to be wrong with a list database somewhere, but what list? What order do these programs parse the lists? Running the list_admins command also bombs after going through the same 6 lists. I need to know what the next list is that these commands parse. That is most likely the bad list. Any help would be appreciated. AJ Here is the output from list_lists. Traceback (most recent call last): File "bin/list_lists", line 122, in ? main() File "bin/list_lists", line 94, in main mlist = MailList.MailList(n, lock=0) File "/listserv/Mailman/MailList.py", line 101, in __init__ self.Load() File "/listserv/Mailman/MailList.py", line 573, in Load dict, e = self.__load(file) File "/listserv/Mailman/MailList.py", line 546, in __load dict = loadfunc(fp) cPickle.UnpicklingError: could not find MARK -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
[Mailman-Users] Re: protecting the web interface against subscription spam
I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and the list subscribe page does not display the reCaptcha checkbox. This is the case on new and old lists. I've confirmed the following is added to templates/en/listinfo.html None of the old lists have custom listinfo.html pages. Any clue on where else to look? Thanks AJ On Fri, Mar 5, 2021 at 9:44 AM Brian Carpenter wrote: > On 3/5/21 9:31 AM, jor...@gmail.com wrote: > > currently we get inundated with abuse complaint mails because our > > mailman instance is targeted by spambots who for whatever reason try to > > subscribe to the lists at our side with addresses belonging to someone > > else, and when mailman sends out the confirmation email, this is > > considered spam by the recipient and occasionally reported as abuse. > > > > Athttps://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html > > I found the hint that in /etc/mailman/mm_cfg.py, one should set > > SUBSCRIBE_FORM_SECRET to a random string which will trigger mailman to > > embed aCSRF tokeninto the subscription form. > > > > This, unfortunately hasn't helped. The abuse mail complaints kept > > coming. > > > > On the same page I found the note that you can also embed a captcha. > > However I have not found instructions on how to do this. > > > > If this is really the case, could somebody give me a link to where I > > can find the instructions? > > Depending upon what version of Mailman 2 you are running, you can add > the following to your mailman_install_dir/Mailman/mm_cfg.py > > BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes > RECAPTCHA_SITE_KEY = "recaptcha site key" > RECAPTCHA_SECRET_KEY = "recaptcha secret key" > > What version of Mailman 2 are you running? > > -- > Brian Carpenter > Harmonylists.com > Emwd.com > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: > https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: protecting the web interface against subscription spam
Keys set properly in mm_cfg.py. I am on Mailman 2.1.34. mm_cfg.py: SUBSCRIBE_FORM_SECRET = "xxx" BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE = Yes RECAPTCHA_SITE_KEY = 'xxx' RECAPTCHA_SECRET_KEY = 'xxx' View source of page, i see this, with the correct site key: This form requires JavaScript.https://www.google.com/recaptcha/api.js?hl=en"</a>;> On Fri, Mar 5, 2021 at 4:38 PM Mark Sapiro wrote: > On 3/5/21 1:24 PM, AJ wrote: > > I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and > the > > list subscribe page does not display the reCaptcha checkbox. > > This is the case on new and old lists. I've confirmed the following is > > added to templates/en/listinfo.html > > > > > > > > > > > > None of the old lists have custom listinfo.html pages. > > Any clue on where else to look? > > > Have you set the keys as > > RECAPTCHA_SITE_KEY = '...' > RECAPTCHA_SECRET_KEY = '...' > > capitalized and spelled correctly? > > Is Javascript enabled in your browser? If not, you should see > > This form requires JavaScript. > > instead of the recaptcha. > > Iv you view the source of the page in your browser, what do you see? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, Californiabetter use your sense - B. Dylan > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: > https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: protecting the web interface against subscription spam
Just confirmed, the mailman server can reach the Google reCaptcha URL. I also tried different browsers. I do see the ReCaptcha on here: https://mail.python.org/mailman/listinfo/ Do I need any other python modules for this? On Fri, Mar 5, 2021 at 7:38 PM Mark Sapiro wrote: > On 3/5/21 3:35 PM, Al Brussey wrote: > > Yes they are v2 keys. > > > >> On Mar 5, 2021, at 5:28 PM, Mark Sapiro wrote: > >> > >> On 3/5/21 2:10 PM, AJ wrote: > >>> > >>> View source of page, i see this, with the correct site key: > >>> > >>> This form requires > >>> JavaScript. >>> src="<a rel="nofollow" href="https://www.google.com/recaptcha/api.js?hl=en"">https://www.google.com/recaptcha/api.js?hl=en"</a>;> > >>> >>> data-sitekey="xxx"> > >> > >> > >> Are your keys for recaptcha v2 - v3 doesn't work with Mailman > > > Well, the relevant code is in the form. This is exactly the same except > for the data-sitekey value as for example the various lists at > <https://mail.python.org/mailman/listinfo/> and it works there. > > Have you tried different browsers? Do you see anything on the page > between "Would you like to receive list mail batched in a daily digest?" > and the Subscribe button? What happens if you submit the form? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, Californiabetter use your sense - B. Dylan > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: > https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: protecting the web interface against subscription spam
Sure will do. Thanks so much. On Mon, Mar 8, 2021 at 11:37 AM Brian Carpenter wrote: > On 3/8/21 11:27 AM, AJ wrote: > > Just confirmed, the mailman server can reach the Google reCaptcha URL. > > I also tried different browsers. I do see the ReCaptcha on here: > > https://mail.python.org/mailman/listinfo/ > > > > Do I need any other python modules for this? > > I am leaning very heavy towards something wrong with the HTML code for > your listinfo page. The error (if I remember correctly) is saying that > the verification is failing which I assume is because the recaptcha UI > element is missing. Can you send me your entire listinfo html code in a > text file off-list so I can compare it with one of my hosted Mailman 2 > lists where I know recaptcha UI element is showing? > > -- > Brian Carpenter > Harmonylists.com > Emwd.com > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: > https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: protecting the web interface against subscription spam
Just to close this out. It wound up being a Content Security Policy on the apache server. Thanks to all for their help. On Fri, Mar 5, 2021 at 9:32 PM Mark Sapiro wrote: > On 3/5/21 6:14 PM, Al Brussey wrote: > > There is nothing between the digest question and the submit button. > > > > When I submit the form, I get this: > > > > reCAPTCHA validation failed: missing-input-response > > That's the expected response in this case. > > Have you tried different browsers? Is there a firewall or something that > could be interfering with getting the recaptcha from > https://www.google.com/recaptcha/api.js?hl=en ? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, Californiabetter use your sense - B. Dylan > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: > https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] new setup
Hey all, I'm in the midst of a project, but need to get the steps worked out individually. My server is a Ubuntu box, with LAMPP setup as the apache/mySQL software. I installed mailman by doing the whole configuring myself as opposed to apt-get due to having to integrate it into lampp. Anyway, I have it set up, and it seems like it should be working. I get the confirmation messages when I add some of my e-mail accounts. The problem lies, however, in the fact that when I send e-mails to account that I've setup, they don't go through. Neither do they go through when I send them via the web interface. I'm curious how the registration e-mails come through and not any of the others. I'd love some help on this. Some more info: hosting over a cable connection using a no-ip.com dynamic DNS service. using mailman 2.1.7 Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.8 PHP/5.0.5 DAV/2 mod_perl/2.0.1 Perl/v5.8.7 Thanks for the help -AJ Peck PS, i'm not a linux guru, so it's possible I messed up in the install somewhere, but didn't realize it. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
