mischief: Login failure with private rosters
Hi all,
I keep seeing "Login failure with private rosters" errors in my mischief logs. Some are accepted as being valid, but others seem to be unrelated to private archives and more likely to be failure to login to unsubscribe or change options. I haven't directly asked any of the users, however I have some inside knowledge on what a few of the users are doing since I know their email addresses are changing. That knowledge, coupled with the fact that their particular list only has public archives, makes me believe there may be an error in the log message in Mailman v2.1.7. The mischief logs don't identify which list the login failure occurs with, so it is difficult to know for sure. Has anyone else experienced similar?
-Jim P.
Jim Popovitch wrote:
I keep seeing "Login failure with private rosters" errors in my mischief logs. Some are accepted as being valid, but others seem to be unrelated to private archives and more likely to be failure to login to unsubscribe or change options. I haven't directly asked any of the users, however I have some inside knowledge on what a few of the users are doing since I know their email addresses are changing. That knowledge, coupled with the fact that their particular list only has public archives, makes me believe there may be an error in the log message in Mailman v2.1.7. The mischief logs don't identify which list the login failure occurs with, so it is difficult to know for sure. Has anyone else experienced similar?
This is a normal message. It probably should specify the list but it doesn't. It has nothing to do with public/private archives. It has to do with whether the membership roster is available to anyone or not. I.e., the Privacy options...->Subscription rules->private_roster setting. If the roster is not available to anyone, we are concerned about invalid login attempts to the options page.
If, for example, we just said 'invalid password' to the user who attempts to login with a bad password, someone could use that response to verify whether or not an address was subscribed to the list, thus at least partially defeating the privacy of the membership list, so we just tell the user the login is unsuccessful, but not why, and we log the event in 'mischief' in case it is really part of an attempt to probe the membership list.
In most cases, these log entries are really legitimate options page login attempts by members who forgot or mistyped their password.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro wrote:
This is a normal message. It probably should specify the list but it doesn't. It has nothing to do with public/private archives. It has to do with whether the membership roster is available to anyone or not. I.e., the Privacy options...->Subscription rules->private_roster setting. If the roster is not available to anyone, we are concerned about invalid login attempts to the options page.
If, for example, we just said 'invalid password' to the user who attempts to login with a bad password, someone could use that response to verify whether or not an address was subscribed to the list, thus at least partially defeating the privacy of the membership list, so we just tell the user the login is unsuccessful, but not why, and we log the event in 'mischief' in case it is really part of an attempt to probe the membership list.
In most cases, these log entries are really legitimate options page login attempts by members who forgot or mistyped their password.
Hi Mark,
Thank you. I see the error was on my lack of clearly reading the error message. ;-)
Thanks,
-Jim P.
participants (2)
-
Jim Popovitch -
Mark Sapiro