Mailman 3 June 2025 - Mailman-Users

Subscription Attacks
by David Andrews July 14, 2025

July 14, 2025

My system is undergoing a subscription attack. This made the mail queue grow alarmingly, and because the software is trying to respond to bad addresses, it has caused Microsoft to block us completely and they refuse to remove the block right now. We are taking steps to improve situation, have adjusted Exim so it doesn't retry mails so often, MS objected to volume and irregularity of mail from us. We are also looking at setting hourly rates, although not sure where to set them Captchas aren't a good solution as we have many thousands of blind, and deaf-blind users. There is stuff about the "secret form?" would this work? If I understand it, the IP must match. Then there is stuff about the life of the form? Do both conditions have to be true.? Many of our users do not return a form quickly, they are not that good with their assistive technology! The writing suggests five seconds, that would never work for us. Are there other things we can do to get us out of this mess? Thanks in advance! Dave

3 4

Encoding issues on 2.1.39
by Gabriele Carioli June 28, 2025

June 28, 2025

I've recently upgraded an ancient 2.1.12 mailman installation to 2.1.39 and noticed an encoding issue, when adding users via add_members. Steps to reproduce and fix the issue: 1. Put these accented user names in an utf-8 file (users-utf-8.txt): Těst Accénti <test(a)dominio.it> Mariò Rosśi <mario.rossi(a)dominio.it> 2. Set un a dummy list "dummylist" with it(alian) and en(glish) as languages 3. Set italian as main language 4. remove_members --all -n -N dummylist 5. add_members -a n -w n -r users-utf-8.txt dummylist You will see garbage and encoding problems in the output, which you will see also on the web interface. 6. Switch the main language to en(glish). 7. Repeat 4&5: no garbage 8. I've edited /usr/lib/mailman/messages/it/LC_MESSAGES/mailman.po, setting "Content-Type: text/plain; charset=UTF-8\n" and saved it as utf-8. Then I've recompiled mailman.mo from the modified mailman.po 9. Switch the main language to it(alian). 10. Repeat 4&5: no garbage Not sure it this might affect also other languages.

2 1

Malicious web subscription requests
by Jayson Smith June 25, 2025

June 25, 2025

Hi, Earlier this evening I received a Yahoo! spam/abuse report, and I'm glad I did since it let me know there was a problem. I quickly discovered that somebody (or maybe more than one somebody) was using the Mailman subscribe form to request subscription for many Email addresses. According to my outgoing Sendmail logs, many of these addresses were being rejected, unknown user. This of course suggests that these particular malicious actors probably bought/acquired/harvested an out-of-date mailing list. Anyway I wanted to stop this immediately, as sending this type of Email is undesirable in any event. Needing a quick fix, what I did was to rename the subscribe executable in /usr/lib/mailman/cgi-bin to something nonsensical, then write a shell script as /usr/lib/mailman/cgi-bin/subscribe which cats an HTML document explaining that web subscriptions are currently unavailable and why. I know there's been lots of discussion about the topic of malicious web subscribes in the past. However, with the two lists I run, there's a special situation. Almost all people subscribing to these lists are blind, so a visual CAPTCHA is entirely inappropriate. Are there any other countermeasures I can take? Thanks, Jayson

5 5

Upgrade instructions
by G. Armour Van Horn June 7, 2025

June 7, 2025

I have a couple of Mailman lists on a server happily running 2.1.9 but I am also a moderator on a very active list that's running on 2.1.12. I do not host this list, just volunteer because I have some experience with Mailman. That list has started to get some significant bounces due to the DMARC issue that isn't addressed in this older version. The host intends to upgrade so that we can address that but they report that they haven't been able to make archives searchable in their experimentation with 2.1.16. I don't know if that search function is part of the more recent versions of Pipermail or if they've installed something else. I'm nervous about attempting to upgrade, given the paucity of documentation for that, particularly the fact that it tells me to use the same configuration options I used for the current install and I haven't a clue what those might have been. If I could find some more robust upgrade docs I'd like to try the upgrade in case I could contribute anything to the problem with the large list. Today I had to clear the bounce flags on 47 members. Not all that hard, but tedious. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! http://www.qotd.org/subscribe.html For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ -----------------------------------------------------------

4 4