[Mailman-Users] mischief: Login failure with private rosters

[Mark Sapiro]

Jim Popovitch wrote:
>
>I keep seeing "Login failure with private rosters" errors in my mischief 
>logs.  Some are accepted as being valid, but others seem to be unrelated 
>to private archives and more likely to be failure to login to 
>unsubscribe or change options.  I haven't directly asked any of the 
>users, however I have some inside knowledge on what a few of the users 
>are doing since I know their email addresses are changing.  That 
>knowledge, coupled with the fact that their particular list only has 
>public archives, makes me believe there may be an error in the log 
>message in Mailman v2.1.7.  The mischief logs don't identify which list 
>the login failure occurs with, so it is difficult to know for sure.  Has 
>anyone else experienced similar?


This is a normal message. It probably should specify the list but it
doesn't. It has nothing to do with public/private archives. It has to
do with whether the membership roster is available to anyone or not.
I.e., the Privacy options...->Subscription rules->private_roster
setting. If the roster is not available to anyone, we are concerned
about invalid login attempts to the options page.

If, for example, we just said 'invalid password' to the user who
attempts to login with a bad password, someone could use that response
to verify whether or not an address was subscribed to the list, thus
at least partially defeating the privacy of the membership list, so we
just tell the user the login is unsuccessful, but not why, and we log
the event in 'mischief' in case it is really part of an attempt to
probe the membership list.

In most cases, these log entries are really legitimate options page
login attempts by members who forgot or mistyped their password.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan