Dear Mark,

Thank you for replying so quickly. I don't understand some of the technical stuff to understand why the autoresponder message came to me not the group. But am glad it did! Because we're a discussion group, I have MM set up for reply to the list. But haven't set any of the mung options, or we wouldn't know who messages are from. We have quite a few people with the same forename so it gets confusing.

That's probably true, but if list lurkers choose to use broken autoresponders that may reveal their address to a list poster and are upset about that, that's really their problem. What do they do about all the spam they autorespond to? Do they care about that?

I don't think most people know that autoresponders can be broken. I didn't until I started running the list and began reading majordomo and mailman users group. And it probably doesn't cross their minds that the autoresponder is replying to spam. Maybe because work email systems seem to trawl out so much spam. In any case, there's nothing they can do about that apart from telling their IT dept when becoming aware of it. At work, you have to have an out of office message when you're away.

I will suggest this person tells her IT dept.

Rather than unsubscribing the user, you could just set him/her to no mail

Duh! Silly me. Having only just moved from majordomo, which didn't have the no mail option, to Mailman, I completely forgot I could do this. Despite having spent time writing a FAQ for the members which included it. Thanks for the suggestion.

You could set all members moderated and new members moderated by default and then clear each poster's moderate bit as they post. Clearing the moderate bit is just a checkbox in the admindb interface when approving the post. That way, a lurker's autoresponse could never make it to the full list.

Thanks for this suggestion. Yes, that would solve it for people who never post. There'd still be the possibility of someone posting a message so coming off moderation, then later setting their autoresponder. But I'm reassured that you say loops are rare.

Thanks for your help. Clare

-----Original Message----- From: Mark Sapiro [mailto:mark@msapiro.net] Sent: 05 April 2011 22:28 To: Clare Redstone; mailman-users@python.org Subject: Re: [Mailman-Users] Autoresponder and privacy

Clare Redstone wrote:

I've just moved a discussion group from majordomo to Mailman and posted the first message to the group. So far, I've had one autoresponder message sent back. Thankfully, from what I can see, it only came to me and not to the list address, so hasn't started to loop.

Any autoresponder that responds to a list post is by definition broken. List posts are sent with "Precedence: list" and autoresponders aren't supposed to respond to such messages. Also, autoresponders shouldn't respond to the same address more than once within some period like a day or a week. Finally, an autoresponder should reply to the From: or Reply-To: address (although some badly broken autoresponders may respond to the Sender: or the envelope sender). Thus, if your list doesn't mung Reply-To:, no autoresponder should ever respond to the list posting address.

Note that parts of the above apply only to individual posts. For digests, the From: is the LIST-request address, so if a broken autoresponder responds to a digest, the response will probably go to the -request address possibly generating a "results of your email commands" message from Mailman, but not if the autoresponse is Precedence: bulk, junk or list as it should be. In those cases, it will be discarded.

But I've a problem over preserving members' privacy. The list of subscribers isn't available to other list members. So unless someone posts a message in the discussion, when their email address will show up in headers, I'm the only person who knows who's registered. And some people will be concerned that stays the case.

OK

But the autoresponder message came from someone using their work email so it includes their name, job and contact details. It doesn't matter this time, as it came to me. But as soon as someone else posts to the group, I assume they'll get the same out of office message.

That's probably true, but if list lurkers choose to use broken autoresponders that may reveal their address to a list poster and are upset about that, that's really their problem. What do they do about all the spam they autorespond to? Do they care about that?

I can warn everyone about this and suggest that, if they don't want their details revealed, they only use an address that they won't set out of office. But is there anything else I can do? Privacy is important in our group so I would like to do what I can, rather than leaving it people who didn't realise about this vulnerable. Meantime, I may unsubscribe this person so no-one else gets her out of office message.

I appreciate your desire to protect your user's privacy, but I think there's little beyond a warning that you can do. Rather than unsubscribing the user, you could just set him/her to no mail. You could also suggest to people that are concerned that they could set themselves to no mail

Not a problem with a loop, thankfully. (Yet? Maybe I'd better put some filters in pronto!)

As I indicate above, a mail loop is very unlikely if you don't mung Reply-To:. Yes, there could be some brain dead autoresponders out there that respond to Precedence: list messages send the autoresponse to the To: address (or Reply-To: if you mung it), and send multiple responses to the same address, but I think this is rare.

That's not to say that you shouldn't try to filter, but it's not easy.

You could set all members moderated and new members moderated by default and then clear each poster's moderate bit as they post. Clearing the moderate bit is just a checkbox in the admindb interface when approving the post. That way, a lurker's autoresponse could never make it to the full list.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Clare Redstone wrote:

Thank you for replying so quickly. I don't understand some of the technical stuff to understand why the autoresponder message came to me not the group. But am glad it did! Because we're a discussion group, I have MM set up for reply to the list.

Since autoresponders that reply to list mail are broken by definition, it is not possible to say for sure to what addresses they might respond, but if we assume that the autoresponder won't reply to a To: or Cc: address, the only other 'routing' headers in which the list posting address appears are:

the From: header if the list is anonymous, and

the Reply-To: header if the original poster has set it to the list or if the list is set to "reply to list" (this is what I ment by munging the Reply-To:)

Since your list is "reply to list" I'm a little surprised that the autoresponse went to From: and not Reply-To:, but as I said, if something is broken, we can't know all the ways in which it might be broken.

But haven't set any of the mung options, or we wouldn't know who messages are from. We have quite a few people with the same forename so it gets confusing.

Well, you are munging the Reply-To: in the sense that I meant.

[...]

...

You could set all members moderated and new members moderated by default and then clear each poster's moderate bit as they post. Clearing the moderate bit is just a checkbox in the admindb interface when approving the post. That way, a lurker's autoresponse could never make it to the full list.

Thanks for this suggestion. Yes, that would solve it for people who never post. There'd still be the possibility of someone posting a message so coming off moderation, then later setting their autoresponder. But I'm reassured that you say loops are rare.

What you say is true as far as looping is concerned, but for the privacy aspect, the person would have already posted at some point and revealed their posting address in that way, so privacy should be less of a concern for that person.

As far as loops are concerned, we can certainly envision scenarios in which this can happen, but I can't recall a report of any. There are threads in the archives of this list about filtering such messages, but not any of loops as I recall.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Dear Stephen,

Thank you for your prompt help.

If I've understood you right, it's going to be difficult for me to do anything beyond warn people. Apart from moderate all messages, which would be OK a lot of the time but sometimes we have very talkative days and of course sometimes I'm away. I'm in the UK and don't know what the legal situation is about trying and failing.

Note that Mailman private archives are not terribly secure by default; you might not want to allow access even with in the privacy setting.

How insecure? Are they more vulnerable than a members-only Yahoo or Google group for example? Are they protected from search engines? Would someone have to make a deliberate effort to hack in to read the archive or could someone come across it by accident, say through a search engine?

I think if it would take someone with some technical knowledge, deliberately looking for it to get in, that would be safe enough. I will add a warning to the FAQ that someone could deliberately hack in and bring it to their attention. One thing I'm suggesting is that people could set up and email account with a nickname so they wouldn't so easily be identified.

Thanks. Clare

-----Original Message----- From: Stephen J. Turnbull [mailto:stephen@xemacs.org] Sent: 06 April 2011 01:10 To: Clare Redstone Cc: mailman-users@python.org Subject: [Mailman-Users] Autoresponder and privacy

Clare Redstone writes:

I can warn everyone about this and suggest that, if they don't want their details revealed, they only use an address that they won't set out of office.

As Mark said, this is in some sense the best you can do. It's not really possible to filter on "contact details", although "phone number" could be done (assuming you know that you have a certain country's phone number, and that country isn't Japan, which has almost as many phone number formats as it does phones). But you'd need to moderate and edit the messages by hand; automatically removing contact details is beyond the state of the art at the moment.

But is there anything else I can do? Privacy is important in our group so I would like to do what I can,

Note that in U.S. law in some jurisdictions, you may be liable for damages if you make an attempt to protect a person and fail[1], while no liability is incurred if you do nothing. Sad but true. Talk to your lawyer.

That said, you can filter out signatures. There's a standard "in message" format, which assumes that everything following a line containing *exactly* two hyphens followed by a space, no more and no less, is a signature. The details of actually removing the signature are somewhat messy (everything in mail is between somewhat messy and "after the bomb hit"), and many people (and the occasional "professional" program) set up the signature wrong, so it's smart-people-proof, but fool-weak. There are other standard ways to set up a signature, too, and you could filter those out as well.

However, automatically editing messages is almost certain to result in lost information at some point, and there is no way to guarantee you'll catch all inadvertant revelations.

Meantime, I may unsubscribe this person so no-one else gets her out of office message.

Set such subscribers to no-mail, instead. Then they don't lose any personal settings and can turn the list back on for themselves when they return. If there are private archives, they can continue to access those.

Note that Mailman private archives are not terribly secure by default; you might not want to allow access even with in the privacy setting.

Footnotes: [1] It used to be said that in New York City you could tell the lawyers' houses in winter time because they didn't shovel snow off their sidewalks. A shoveled walk is more likely to be icy and slick.

Dear Mark,

Thank you for replying so quickly. I don't understand some of the technical stuff to understand why the autoresponder message came to me not the group. But am glad it did! Because we're a discussion group, I have MM set up for reply to the list. But haven't set any of the mung options, or we wouldn't know who messages are from. We have quite a few people with the same forename so it gets confusing.

That's probably true, but if list lurkers choose to use broken autoresponders that may reveal their address to a list poster and are upset about that, that's really their problem. What do they do about all the spam they autorespond to? Do they care about that?

I don't think most people know that autoresponders can be broken. I didn't until I started running the list and began reading majordomo and mailman users group. And it probably doesn't cross their minds that the autoresponder is replying to spam. Maybe because work email systems seem to trawl out so much spam. In any case, there's nothing they can do about that apart from telling their IT dept when becoming aware of it. At work, you have to have an out of office message when you're away.

I will suggest this person tells her IT dept.

Rather than unsubscribing the user, you could just set him/her to no mail

Duh! Silly me. Having only just moved from majordomo, which didn't have the no mail option, to Mailman, I completely forgot I could do this. Despite having spent time writing a FAQ for the members which included it. Thanks for the suggestion.

You could set all members moderated and new members moderated by default and then clear each poster's moderate bit as they post. Clearing the moderate bit is just a checkbox in the admindb interface when approving the post. That way, a lurker's autoresponse could never make it to the full list.

Thanks for this suggestion. Yes, that would solve it for people who never post. There'd still be the possibility of someone posting a message so coming off moderation, then later setting their autoresponder. But I'm reassured that you say loops are rare.

Thanks for your help. Clare

-----Original Message----- From: Mark Sapiro [mailto:mark@msapiro.net] Sent: 05 April 2011 22:28 To: Clare Redstone; mailman-users@python.org Subject: Re: [Mailman-Users] Autoresponder and privacy

Clare Redstone wrote:

I've just moved a discussion group from majordomo to Mailman and posted the first message to the group. So far, I've had one autoresponder message sent back. Thankfully, from what I can see, it only came to me and not to the list address, so hasn't started to loop.

Any autoresponder that responds to a list post is by definition broken. List posts are sent with "Precedence: list" and autoresponders aren't supposed to respond to such messages. Also, autoresponders shouldn't respond to the same address more than once within some period like a day or a week. Finally, an autoresponder should reply to the From: or Reply-To: address (although some badly broken autoresponders may respond to the Sender: or the envelope sender). Thus, if your list doesn't mung Reply-To:, no autoresponder should ever respond to the list posting address.

Note that parts of the above apply only to individual posts. For digests, the From: is the LIST-request address, so if a broken autoresponder responds to a digest, the response will probably go to the -request address possibly generating a "results of your email commands" message from Mailman, but not if the autoresponse is Precedence: bulk, junk or list as it should be. In those cases, it will be discarded.

But I've a problem over preserving members' privacy. The list of subscribers isn't available to other list members. So unless someone posts a message in the discussion, when their email address will show up in headers, I'm the only person who knows who's registered. And some people will be concerned that stays the case.

OK

But the autoresponder message came from someone using their work email so it includes their name, job and contact details. It doesn't matter this time, as it came to me. But as soon as someone else posts to the group, I assume they'll get the same out of office message.

That's probably true, but if list lurkers choose to use broken autoresponders that may reveal their address to a list poster and are upset about that, that's really their problem. What do they do about all the spam they autorespond to? Do they care about that?

I can warn everyone about this and suggest that, if they don't want their details revealed, they only use an address that they won't set out of office. But is there anything else I can do? Privacy is important in our group so I would like to do what I can, rather than leaving it people who didn't realise about this vulnerable. Meantime, I may unsubscribe this person so no-one else gets her out of office message.

I appreciate your desire to protect your user's privacy, but I think there's little beyond a warning that you can do. Rather than unsubscribing the user, you could just set him/her to no mail. You could also suggest to people that are concerned that they could set themselves to no mail

Not a problem with a loop, thankfully. (Yet? Maybe I'd better put some filters in pronto!)

As I indicate above, a mail loop is very unlikely if you don't mung Reply-To:. Yes, there could be some brain dead autoresponders out there that respond to Precedence: list messages send the autoresponse to the To: address (or Reply-To: if you mung it), and send multiple responses to the same address, but I think this is rare.

That's not to say that you shouldn't try to filter, but it's not easy.

You could set all members moderated and new members moderated by default and then clear each poster's moderate bit as they post. Clearing the moderate bit is just a checkbox in the admindb interface when approving the post. That way, a lurker's autoresponse could never make it to the full list.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Clare Redstone wrote:

Thank you for replying so quickly. I don't understand some of the technical stuff to understand why the autoresponder message came to me not the group. But am glad it did! Because we're a discussion group, I have MM set up for reply to the list.

Since autoresponders that reply to list mail are broken by definition, it is not possible to say for sure to what addresses they might respond, but if we assume that the autoresponder won't reply to a To: or Cc: address, the only other 'routing' headers in which the list posting address appears are:

the From: header if the list is anonymous, and

the Reply-To: header if the original poster has set it to the list or if the list is set to "reply to list" (this is what I ment by munging the Reply-To:)

Since your list is "reply to list" I'm a little surprised that the autoresponse went to From: and not Reply-To:, but as I said, if something is broken, we can't know all the ways in which it might be broken.

But haven't set any of the mung options, or we wouldn't know who messages are from. We have quite a few people with the same forename so it gets confusing.

Well, you are munging the Reply-To: in the sense that I meant.

[...]

...

You could set all members moderated and new members moderated by default and then clear each poster's moderate bit as they post. Clearing the moderate bit is just a checkbox in the admindb interface when approving the post. That way, a lurker's autoresponse could never make it to the full list.

Thanks for this suggestion. Yes, that would solve it for people who never post. There'd still be the possibility of someone posting a message so coming off moderation, then later setting their autoresponder. But I'm reassured that you say loops are rare.

What you say is true as far as looping is concerned, but for the privacy aspect, the person would have already posted at some point and revealed their posting address in that way, so privacy should be less of a concern for that person.

As far as loops are concerned, we can certainly envision scenarios in which this can happen, but I can't recall a report of any. There are threads in the archives of this list about filtering such messages, but not any of loops as I recall.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Dear Stephen,

Thank you for your prompt help.

If I've understood you right, it's going to be difficult for me to do anything beyond warn people. Apart from moderate all messages, which would be OK a lot of the time but sometimes we have very talkative days and of course sometimes I'm away. I'm in the UK and don't know what the legal situation is about trying and failing.

Note that Mailman private archives are not terribly secure by default; you might not want to allow access even with in the privacy setting.

How insecure? Are they more vulnerable than a members-only Yahoo or Google group for example? Are they protected from search engines? Would someone have to make a deliberate effort to hack in to read the archive or could someone come across it by accident, say through a search engine?

I think if it would take someone with some technical knowledge, deliberately looking for it to get in, that would be safe enough. I will add a warning to the FAQ that someone could deliberately hack in and bring it to their attention. One thing I'm suggesting is that people could set up and email account with a nickname so they wouldn't so easily be identified.

Thanks. Clare

-----Original Message----- From: Stephen J. Turnbull [mailto:stephen@xemacs.org] Sent: 06 April 2011 01:10 To: Clare Redstone Cc: mailman-users@python.org Subject: [Mailman-Users] Autoresponder and privacy

Clare Redstone writes:

I can warn everyone about this and suggest that, if they don't want their details revealed, they only use an address that they won't set out of office.

As Mark said, this is in some sense the best you can do. It's not really possible to filter on "contact details", although "phone number" could be done (assuming you know that you have a certain country's phone number, and that country isn't Japan, which has almost as many phone number formats as it does phones). But you'd need to moderate and edit the messages by hand; automatically removing contact details is beyond the state of the art at the moment.

But is there anything else I can do? Privacy is important in our group so I would like to do what I can,

Note that in U.S. law in some jurisdictions, you may be liable for damages if you make an attempt to protect a person and fail[1], while no liability is incurred if you do nothing. Sad but true. Talk to your lawyer.

That said, you can filter out signatures. There's a standard "in message" format, which assumes that everything following a line containing *exactly* two hyphens followed by a space, no more and no less, is a signature. The details of actually removing the signature are somewhat messy (everything in mail is between somewhat messy and "after the bomb hit"), and many people (and the occasional "professional" program) set up the signature wrong, so it's smart-people-proof, but fool-weak. There are other standard ways to set up a signature, too, and you could filter those out as well.

However, automatically editing messages is almost certain to result in lost information at some point, and there is no way to guarantee you'll catch all inadvertant revelations.

Meantime, I may unsubscribe this person so no-one else gets her out of office message.

Set such subscribers to no-mail, instead. Then they don't lose any personal settings and can turn the list back on for themselves when they return. If there are private archives, they can continue to access those.

Note that Mailman private archives are not terribly secure by default; you might not want to allow access even with in the privacy setting.

Footnotes: [1] It used to be said that in New York City you could tell the lawyers' houses in winter time because they didn't shovel snow off their sidewalks. A shoveled walk is more likely to be icy and slick.