Mailman 3 February 2011 - Mailman-Developers

before next release: disable backscatter in default installation
by Jo Rhett 07 Nov '22

07 Nov '22

Hi. There's a fairly simple problem here that needs to be addressed. And it's mostly a documentation/install problem. I'm hoping we can get this resolved before the next release. PROBLEM: Mailman comes out of the box ready to backscatter spam people. Yes, it's easy enough to fix. But because it comes stock this way, and is documented to install this way, most people install it to do this. Those of us who work in abuse departments are tired of hearing "well that's how Mailman works". We also object to having to teach people how to fix their mailman installations because it's not documented in the current manual. This is *exactly* like Sendmail 14 years ago. We didn't accept it then, and Sendmail fixed the problem. RESOLUTION: Mailman default installation should not backscatter in a default configuration. 1. Don't create backscatter aliases for subscribe/unsubscribe/etc by default. Nearly everyone uses web based signup. 2. Discard or hold messages from non-subscribers by default. I would think that it would be perfectly reasonable to have documentation on how to enable the 1980s-style -request / -subscribe etc aliases. However this documentation should have a note that this is against the AUP of nearly every network provider, and enabling it will likely cause them to get listed in various blacklists as a backscatter source. FYI: I know that this goes against the instincts of many old-time mailing list advocates here. But after dealing with a 10k/hour backscatter DoS my tolerance for this problem is understandably limited. Yes, it was a sweet day back in the 1980s. I was running a mailing list server and several UUCP gateways at the time, so I remember them well. But those days are past, and we need to deal with the reality of today. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness

21 168

Re: [Mailman-Developers] mailman and DKIM
by Ian Eiloart 28 Feb '11

28 Feb '11

--On 24 February 2011 19:36:31 -0800 "Murray S. Kucherawy" <msk(a)cloudmark.com> wrote: > Hi, > > I'm authoring a document within the DKIM working group at the IETF to > talk about the use of DKIM in the context of mailing lists. I believe > one or more of you is already at least monitoring the working group > traffic on that topic, and thanks for that. > > Mailing Lists Managers legitimately modify messages sent through them. > (After all, lists are, essentially, re-posting a new message and they can > do what they want.) DKIM has a minimal feature that attempts to allow a > signature to survive transiting mailing lists, by ignoring text added to > the end. > > A suggestion has come up that I'd like to bounce off of you. We're > interested in doing a better job of surviving the transit. That means > that DKIM would have to adjust to other modifications made by MLMs, such > as altering Subject: field contents. I think this is only valuable for users of ADSP. Other people would expect their signatures to break, and be supplemented with a good signature generated by the list server. > What a few of us would like to explore is the idea of collaborating with > the MLM community to develop a profile for MLM message modifications that > DKIM can be enhanced to survive. For example, a new canonicalization > algorithm might tolerate the addition of a "[...]" string at the > beginning of a Subject line. We would document this profile and MLM > implementers can choose to support it. > > This would be a voluntary and cooperative effort. DKIM signers would > have one more configuration choice. MLM operators would have a special > kind of profile that could apply to a list. Or not. > > Our initial discussions have come up with a few idea. No doubt some are > unworkable, but they should at least serve to get further discussion > going: > > 1) add a way to DKIM to have small Subject: modifications be tolerated; > something like "exclude from the signed portion any leading text in the > Subject: field that is contained within square brackets and includes only > letters, numbers, hyphens and underscores, to a maximum of 32 > characters", which would allow MLMs to add a short token such as the list > name for use by receivers in mailbox sorting but would make it tough for > abusers to put a URI there; Perhaps you could modify the syntax of the h= tag, to allow, say [12]+subject+[5] to mean that 12 unknown characters may prefix the signed header, and 5 may follow, provided they are bracketed. I'd suggest only permitting bracketed additions, so perhaps this could be expressed as 12+subject+5 instead. I suppose all of this might break existing implementations, so perhaps a separate tag would be required. > 2) encourage people to sign with "l=" tags, but recommend that receivers > enforce a policy that says any appended text must be no more than a > couple of lines long and contain no URLs, or some other similar > restriction; Maybe the l= syntax could be extended. Eg, l=12544+512 would mean "I'm signing 12544 octets, and permitting the addition of a further 512 > > 3) explore ways to increase use and utility of the List-* header fields. Well, if the sender knows that the list is going to add a List-ID header, then it could add that before signing. I doubt this would scale well, though. > I'd like to hear your views on such an approach and any other suggestions > you may have. As a representative of The OpenDKIM Project, which is used > by AOL and Yahoo to perform DKIM verifications, I can say we're in a > position to conduct some real experiments and get the code out to a wide > distribution if we come up with something that has the potential to be > successful. > > Let me know what you think. > > Cheers, > -MSK > > > _______________________________________________ > Mailman-Developers mailing list > Mailman-Developers(a)python.org > http://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://wiki.list.org/x/AgA3 > Searchable Archives: > http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: > http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.a > c.uk > > Security Policy: http://wiki.list.org/x/QIA9 -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/

2 1

Re: [Mailman-Developers] mailman and DKIM
by Mark Sapiro 25 Feb '11

25 Feb '11

Murray S. Kucherawy wrote: > >1) add a way to DKIM to have small Subject: modifications be tolerated; something like "exclude from the signed portion any leading text in the Subject: field that is contained within square brackets and includes only letters, numbers, hyphens and underscores, to a maximum of 32 characters", which would allow MLMs to add a short token such as the list name for use by receivers in mailbox sorting but would make it tough for abusers to put a URI there; Some MLMs will add a subject prefix other than at the beginning or will move an existing prefix. E.g. Subject: Re: Something becomes Subject: Re: [List] Something or Subject: Re: [List] Something becomes Subject: [List] Re: Something Mailman will do the former if mm_cfg.OLD_STYLE_PREFIXING is True and will do the latter if mm_cfg.OLD_STYLE_PREFIXING is False. >2) encourage people to sign with "l=" tags, but recommend that receivers enforce a policy that says any appended text must be no more than a couple of lines long and contain no URLs, or some other similar restriction; Many lists add short message footers that contain URLs such as a list information or an unsubscribe link. >3) explore ways to increase use and utility of the List-* header fields. > >I'd like to hear your views on such an approach and any other suggestions you may have. As a representative of The OpenDKIM Project, which is used by AOL and Yahoo to perform DKIM verifications, I can say we're in a position to conduct some real experiments and get the code out to a wide distribution if we come up with something that has the potential to be successful. I think there is a good possibility for simple plain text only messages to pass through an MLM without breaking signatures, however, if the original message is more complex and the list filters content, e.g. say a multipart/alternative message has its text/html alternative removed and the message collapsed to a text/plain message containing only the text/plain alternative, I don't see a way for signatures to surve such a transformation. Since many MUAs compose multipart/alternative messages by default without the users necessarily even being aware of it, and many lists transform such messages into simple text/plain messages, I think this will always be an issue. -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

1 0

mailman and DKIM
by Murray S. Kucherawy 24 Feb '11

24 Feb '11

Hi, I'm authoring a document within the DKIM working group at the IETF to talk about the use of DKIM in the context of mailing lists. I believe one or more of you is already at least monitoring the working group traffic on that topic, and thanks for that. Mailing Lists Managers legitimately modify messages sent through them. (After all, lists are, essentially, re-posting a new message and they can do what they want.) DKIM has a minimal feature that attempts to allow a signature to survive transiting mailing lists, by ignoring text added to the end. A suggestion has come up that I'd like to bounce off of you. We're interested in doing a better job of surviving the transit. That means that DKIM would have to adjust to other modifications made by MLMs, such as altering Subject: field contents. What a few of us would like to explore is the idea of collaborating with the MLM community to develop a profile for MLM message modifications that DKIM can be enhanced to survive. For example, a new canonicalization algorithm might tolerate the addition of a "[...]" string at the beginning of a Subject line. We would document this profile and MLM implementers can choose to support it. This would be a voluntary and cooperative effort. DKIM signers would have one more configuration choice. MLM operators would have a special kind of profile that could apply to a list. Or not. Our initial discussions have come up with a few idea. No doubt some are unworkable, but they should at least serve to get further discussion going: 1) add a way to DKIM to have small Subject: modifications be tolerated; something like "exclude from the signed portion any leading text in the Subject: field that is contained within square brackets and includes only letters, numbers, hyphens and underscores, to a maximum of 32 characters", which would allow MLMs to add a short token such as the list name for use by receivers in mailbox sorting but would make it tough for abusers to put a URI there; 2) encourage people to sign with "l=" tags, but recommend that receivers enforce a policy that says any appended text must be no more than a couple of lines long and contain no URLs, or some other similar restriction; 3) explore ways to increase use and utility of the List-* header fields. I'd like to hear your views on such an approach and any other suggestions you may have. As a representative of The OpenDKIM Project, which is used by AOL and Yahoo to perform DKIM verifications, I can say we're in a position to conduct some real experiments and get the code out to a wide distribution if we come up with something that has the potential to be successful. Let me know what you think. Cheers, -MSK

1 0

Re: [Mailman-Developers] Mailman Security Patch Announcement
by David Brown 19 Feb '11

19 Feb '11

Sorry for the n00b moment, but am I correct to think that the way to apply the patch is to issue the command: patch <pathTo_Mailman/cgi/confirm.py> <pathTo_confirm_xss.patch.txt> ...when logged in with appropriate permissions and where each <thingInBrackets> is replaced with the appropriate file path. (I did check to see whether there were instructions posted on the web page. Maybe you included them on a different list.) Thanks, Dave -- David Brown dave(a)aasv.org ; webmaster(a)aasv.org -----Original Message----- From: mailman-developers-bounces+dave=aasv.org(a)python.org [mailto:mailman-developers-bounces+dave=aasv.org@python.org] On Behalf Of Mark Sapiro Sent: Friday, February 18, 2011 11:02 AM To: Mailman Announce; Mailman i18n; Mailman Users; Mailman Developers Subject: Re: [Mailman-Developers] Mailman Security Patch Announcement -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/13/2011 1:58 PM, Mark Sapiro wrote: > An XXS vulnerability affecting Mailman 2.1.14 and prior versions has > recently been discovered. A patch has been developed to address this > issue. The patch is small, affects only one module and can be applied > to a live installation without requiring a restart. > > In order to accommodate those who need some notice before applying > such a patch, the patch will be posted on Friday, 18 February at about > 16:00 GMT to the same four lists to which this announcement is addressed. The vulnerability has been assigned CVE-2011-0707. The patch is attached as confirm_xss.patch.txt. - -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w Gp0hqWatECAYyAIL7IH9dGk= =8U6M -----END PGP SIGNATURE-----

3 3

Mailman Security Patch Announcement
by Mark Sapiro 19 Feb '11

19 Feb '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a restart. In order to accommodate those who need some notice before applying such a patch, the patch will be posted on Friday, 18 February at about 16:00 GMT to the same four lists to which this announcement is addressed. - -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFNWFQIVVuXXpU7hpMRAixMAJ9CvXBKvSkkF6JAj9qfnPVOQBOz9QCg/ASx RKTuYnogMT0S96GqSclcXyY= =l9sU -----END PGP SIGNATURE-----

3 3