ban member from joining not working
Hello,
Other than setting the email address in the Privacy/Subscription section, is there anything else that needs to be done? It isn't working and the member was able to be subscribed. Any suggestions?
--Rae
Rae wrote:
There's nothing else that needs to be done, but keep in mind that the ban list only bans specific email addresses from subscribing. That is, if you put "user@example.com" in the list, that won't keep user@mail.example.com or users_other_name@example.com or user@yahoo.com from subscribing.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hello Mark,
Thanks for the response. I did have a specific email address in the ban list and that specific email address was able to subscribe even though the list's subscription is set to confirm. Any ideas as to what else I should look for or do to prevent this from happening again?
Best wishes, Rae
At 10:32 AM 11/26/2005, you wrote:
Rae wrote:
Actually, when I said the ban list only bans specific email addresses from subscribing, I was forgetting that the ban list can also contain regexps, but that isn't the issue here.
The ban list will prevent subscribing a banned address directly, but I think there is a way around it. Namely, if addr1 is banned, a person who can receive confirmations sent to another address can subscribe that address and then change the subscription address to addr1. I haven't verified this, but I think it's true. If so, I think it's a bug.
In your case, you can check Mailman's 'subscribe' log to see if the banned address actually subscribed, or possibly identify a different address that subscribed and was possibly later changed to the banned address. Unfortunately for this investigation, address changes aren't logged or reported.
subscribe_policy = confirm only means the user has to confirm. It has nothing to do with banning per se.
As far as prevention is concerned, be sure that admin_notify_mchanges is Yes so you will be notified of subscribes and unsubscribes (but not address changes), and consider setting subscribe_policy to 'Require approval' or 'Confirm and approve'.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
At 10:19 AM 11/28/2005, Mark Sapiro wrote:
The log indicates that the specific address was subscribed and confirmed through the web so that eliminates the "subscribe and change" possibility.
Nov 26 13:47:08 2005 (54395) mylist: new (digest) "archive@mail-archive.com" <The Mail Archive>, via web confirmation
I ran a test trying to subscribe an address that is listed in the ban list. From the listinfo page, the subscription request resulted in a statement that the address was banned. From the listname-subscribe@domain.com, the subscription request received a reply that the address was banned. So the ban is working. I now believe that the subscription was not done in a normal manner but may have been taking advantage of a hole in the program's operations. I'm checking other server logs to get to the bottom of it.
Sidenote: If you don't know who The Mail Archive is, you should take a minute to check it out. If you run any private lists, you definitely do NOT want that address subscribed to it. They operate a site for anyone to subscribe any list for public archiving without the listowner's approval.
Yes, I had that in effect at the time and saw the subscription right after it happened and was able to unsubscribe it. I have now also changed the subscribe_policy to Confirm and Approve. Not real happy with that but it seems that I am forced to do it under the circumstances.
Best wishes, Rae
Rae wrote:
Is there a 'pending' entry for this address in the subscribe log (possibly days) prior to this one? If not, the only way I know for this to happen is via an 'invitation'.
FYI, hits on the ban_list are logged in the 'vette' log.
Please keep me posted (off list if you like) on what you find out regarding this. I'm currently working on tightening this up including not allowing invitations or admin mass subscribes of addresses on the ban_list for Mailman 2.1.7. If there is any 'hole' that I don't know about, I'd like to plug it.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Rae wrote:
There's nothing else that needs to be done, but keep in mind that the ban list only bans specific email addresses from subscribing. That is, if you put "user@example.com" in the list, that won't keep user@mail.example.com or users_other_name@example.com or user@yahoo.com from subscribing.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hello Mark,
Thanks for the response. I did have a specific email address in the ban list and that specific email address was able to subscribe even though the list's subscription is set to confirm. Any ideas as to what else I should look for or do to prevent this from happening again?
Best wishes, Rae
At 10:32 AM 11/26/2005, you wrote:
Rae wrote:
Actually, when I said the ban list only bans specific email addresses from subscribing, I was forgetting that the ban list can also contain regexps, but that isn't the issue here.
The ban list will prevent subscribing a banned address directly, but I think there is a way around it. Namely, if addr1 is banned, a person who can receive confirmations sent to another address can subscribe that address and then change the subscription address to addr1. I haven't verified this, but I think it's true. If so, I think it's a bug.
In your case, you can check Mailman's 'subscribe' log to see if the banned address actually subscribed, or possibly identify a different address that subscribed and was possibly later changed to the banned address. Unfortunately for this investigation, address changes aren't logged or reported.
subscribe_policy = confirm only means the user has to confirm. It has nothing to do with banning per se.
As far as prevention is concerned, be sure that admin_notify_mchanges is Yes so you will be notified of subscribes and unsubscribes (but not address changes), and consider setting subscribe_policy to 'Require approval' or 'Confirm and approve'.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
At 10:19 AM 11/28/2005, Mark Sapiro wrote:
The log indicates that the specific address was subscribed and confirmed through the web so that eliminates the "subscribe and change" possibility.
Nov 26 13:47:08 2005 (54395) mylist: new (digest) "archive@mail-archive.com" <The Mail Archive>, via web confirmation
I ran a test trying to subscribe an address that is listed in the ban list. From the listinfo page, the subscription request resulted in a statement that the address was banned. From the listname-subscribe@domain.com, the subscription request received a reply that the address was banned. So the ban is working. I now believe that the subscription was not done in a normal manner but may have been taking advantage of a hole in the program's operations. I'm checking other server logs to get to the bottom of it.
Sidenote: If you don't know who The Mail Archive is, you should take a minute to check it out. If you run any private lists, you definitely do NOT want that address subscribed to it. They operate a site for anyone to subscribe any list for public archiving without the listowner's approval.
Yes, I had that in effect at the time and saw the subscription right after it happened and was able to unsubscribe it. I have now also changed the subscribe_policy to Confirm and Approve. Not real happy with that but it seems that I am forced to do it under the circumstances.
Best wishes, Rae
Rae wrote:
Is there a 'pending' entry for this address in the subscribe log (possibly days) prior to this one? If not, the only way I know for this to happen is via an 'invitation'.
FYI, hits on the ban_list are logged in the 'vette' log.
Please keep me posted (off list if you like) on what you find out regarding this. I'm currently working on tightening this up including not allowing invitations or admin mass subscribes of addresses on the ban_list for Mailman 2.1.7. If there is any 'hole' that I don't know about, I'd like to plug it.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro -
Rae