Re: [Mailman-Developers] Mailing lists exploited
On 05/12/2017 05:13 AM, Jonathan Knight wrote:
Maybe listing administrator email addresses needs the be a thing of the past.
It's not done in Mailman 3.
For mailman 2.1, the administrator email addresses are a mailto: link the goes to the LISTNAME-owner address, but the email addresses are exposed and only mildly obfuscated ('@' -> ' at ').
I would consider adding a configuration option to either obfuscate the addresses further (e.g. drop the domain entirely) or replace the text with something like "Listname list run by listname-owner@example.com".
WDOT?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On May 15, 2017, at 11:03 AM, Mark Sapiro wrote:
It's not done in Mailman 3.
For mailman 2.1, the administrator email addresses are a mailto: link the goes to the LISTNAME-owner address, but the email addresses are exposed and only mildly obfuscated ('@' -> ' at ').
I would consider adding a configuration option to either obfuscate the addresses further (e.g. drop the domain entirely) or replace the text with something like "Listname list run by listname-owner@example.com".
I'm a little confused by the OP. Is it:
A message to the posting address From: LISTNAME-owner@example.com is not being moderated? I would expect it to be since that address is not a member of the list.
Emailing To: LISTNAME-owner@example.com directly which would end up spamming the list owners?
MM3 doesn't currently moderate messages sent to the list owners, but it could. Messages to -owners flows through a different, shorter chain of rules and pipeline, but I've always thought that that would be configurable.
-Barry
On 05/15/2017 03:19 PM, Barry Warsaw wrote:
I'm a little confused by the OP. Is it:
A message to the posting address From: LISTNAME-owner@example.com is not being moderated? I would expect it to be since that address is not a member of the list.
Emailing To: LISTNAME-owner@example.com directly which would end up spamming the list owners?
I don't think it's either. I think it is scraping the list owner addresses from the LISTNAME run by joe at example.com line on the web UI pages, s/ at /@/ and spoofing that address as the sender of a spam post to the list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark is right.
The spamming process was to scrape the listinfo page and locate the "list is run by" line and then de-obfuscate the "j.knight at keele.ac.uk" into " j.knight@keele.ac.uk". Then an email was faked using j.knight@keele.ac.uk as the sender to see if the list is either unmoderated or whether the administrator had set their own email address as unmoderated on a moderated list.
There's not a lot that can be done to protect against that other than changing the "list is run by" so that the administrators real email address isn't obvious.
Jon.
On 15 May 2017 at 23:19, Barry Warsaw <barry@list.org> wrote:
On May 15, 2017, at 11:03 AM, Mark Sapiro wrote:
It's not done in Mailman 3.
For mailman 2.1, the administrator email addresses are a mailto: link the goes to the LISTNAME-owner address, but the email addresses are exposed and only mildly obfuscated ('@' -> ' at ').
I would consider adding a configuration option to either obfuscate the addresses further (e.g. drop the domain entirely) or replace the text with something like "Listname list run by listname-owner@example.com".
I'm a little confused by the OP. Is it:
A message to the posting address From: LISTNAME-owner@example.com is not being moderated? I would expect it to be since that address is not a member of the list.
Emailing To: LISTNAME-owner@example.com directly which would end up spamming the list owners?
MM3 doesn't currently moderate messages sent to the list owners, but it could. Messages to -owners flows through a different, shorter chain of rules and pipeline, but I've always thought that that would be configurable.
-Barry
Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/ mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman- developers/j.knight%40keele.ac.uk
Security Policy: http://wiki.list.org/x/QIA9
-- Jonathan Knight IT Services Keele University
participants (3)
-
Barry Warsaw
-
Jonathan Knight
-
Mark Sapiro