Wayne Cook <wcook@mycoachonline.com> wrote:
Change the list configuration so that all subscribers are moderated. And then set each current subscriber to "moderated" via one click on the membership admin web page.
Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: BSFinkel@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994
On Wed, 16 Dec 2009, Barry Finkel wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post.
Geoff.
Geoff Shang wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
This is not good advice. Everyone should be moderated and posters should use an Approved: <password> header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently.
Yes. This is all covered in the FAQ at <http://wiki.list.org/x/3YA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi,
You're right in that I did forget the Approved: approach, as I didn't iknow about it until recently.
Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access.
Geoff.
----- Original Message ----- From: "Mark Sapiro" <mark@msapiro.net> To: "Geoff Shang" <geoff@QuiteLikely.com>; <Mailman-Users@python.org> Sent: Wednesday, 16 December, 2009 8:22 PM Subject: Re: [Mailman-Users] Hello List
Geoff Shang wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
This is not good advice. Everyone should be moderated and posters should use an Approved: <password> header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently.
Yes. This is all covered in the FAQ at <http://wiki.list.org/x/3YA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote:
Is there some reason that you, as admin, can't just un-set their moderation flag?
-- Lindsay Haisley |"Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |<http://pubkeys.fmp.com> http://www.fmp.com | dandelions" | | (Pamela Jones) |
Hi,
Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead.
Geoff.
----- Original Message ----- From: "Lindsay Haisley" <fmouse@fmp.com> To: <mailman-users@python.org> Sent: Friday, 18 December, 2009 6:22 PM Subject: Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote:
Is there some reason that you, as admin, can't just un-set their moderation flag?
-- Lindsay Haisley |"Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |<http://pubkeys.fmp.com> http://www.fmp.com | dandelions" | | (Pamela Jones) |
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/geoff%40quitelikely.com
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
--
Lindsay Haisley | "Never expect the people who caused a problem
FMP Computer Services | to solve it." - Albert Einstein
512-259-1190 |
http://www.fmp.com |
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
--
Lindsay Haisley | "Never expect the people who caused a problem
FMP Computer Services | to solve it." - Albert Einstein
512-259-1190 |
http://www.fmp.com |
Lindsay Haisley wrote:
FWIW, I was recommending the Approved: <password> approach in the context of a reply where the OP said "I only want the list administrator to be able to post messages to the list".
I agree that in the case where you have authorized posters who are not necessarily admins or moderators that controlling posting by unmoderating posters and/or accept_these_nonmembers is appropriate although still subject to spoofing. It all depends on the list.
Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers.
It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page.
See the FAQ at <http://wiki.list.org/x/5YA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote:
I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/
I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an "Approved:" [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so.
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
-- Lindsay Haisley | "The difference between | PGP public key FMP Computer Services | a duck is because one | available at 512-259-1190 | leg is both the same" | http://pubkeys.fmp.com http://www.fmp.com | - Anonymous |
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote:
I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/
I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an "Approved:" [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so.
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
-- Lindsay Haisley | "The difference between | PGP public key FMP Computer Services | a duck is because one | available at 512-259-1190 | leg is both the same" | http://pubkeys.fmp.com http://www.fmp.com | - Anonymous |
Lindsay Haisley wrote:
You can't remove a moderator password through the GUI. You could always enter some obscure string that you will immediately forget, and that's probably as good, but if you really want to remove it, you have to set
mod_password = None
via bin/withlist or bin/config_list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Wed, 16 Dec 2009, Barry Finkel wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post.
Geoff.
Geoff Shang wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
This is not good advice. Everyone should be moderated and posters should use an Approved: <password> header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently.
Yes. This is all covered in the FAQ at <http://wiki.list.org/x/3YA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi,
You're right in that I did forget the Approved: approach, as I didn't iknow about it until recently.
Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access.
Geoff.
----- Original Message ----- From: "Mark Sapiro" <mark@msapiro.net> To: "Geoff Shang" <geoff@QuiteLikely.com>; <Mailman-Users@python.org> Sent: Wednesday, 16 December, 2009 8:22 PM Subject: Re: [Mailman-Users] Hello List
Geoff Shang wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
This is not good advice. Everyone should be moderated and posters should use an Approved: <password> header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently.
Yes. This is all covered in the FAQ at <http://wiki.list.org/x/3YA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote:
Is there some reason that you, as admin, can't just un-set their moderation flag?
-- Lindsay Haisley |"Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |<http://pubkeys.fmp.com> http://www.fmp.com | dandelions" | | (Pamela Jones) |
Hi,
Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead.
Geoff.
----- Original Message ----- From: "Lindsay Haisley" <fmouse@fmp.com> To: <mailman-users@python.org> Sent: Friday, 18 December, 2009 6:22 PM Subject: Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote:
Is there some reason that you, as admin, can't just un-set their moderation flag?
-- Lindsay Haisley |"Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |<http://pubkeys.fmp.com> http://www.fmp.com | dandelions" | | (Pamela Jones) |
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/geoff%40quitelikely.com
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
--
Lindsay Haisley | "Never expect the people who caused a problem
FMP Computer Services | to solve it." - Albert Einstein
512-259-1190 |
http://www.fmp.com |
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
--
Lindsay Haisley | "Never expect the people who caused a problem
FMP Computer Services | to solve it." - Albert Einstein
512-259-1190 |
http://www.fmp.com |
Lindsay Haisley wrote:
FWIW, I was recommending the Approved: <password> approach in the context of a reply where the OP said "I only want the list administrator to be able to post messages to the list".
I agree that in the case where you have authorized posters who are not necessarily admins or moderators that controlling posting by unmoderating posters and/or accept_these_nonmembers is appropriate although still subject to spoofing. It all depends on the list.
Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers.
It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page.
See the FAQ at <http://wiki.list.org/x/5YA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote:
I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/
I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an "Approved:" [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so.
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
-- Lindsay Haisley | "The difference between | PGP public key FMP Computer Services | a duck is because one | available at 512-259-1190 | leg is both the same" | http://pubkeys.fmp.com http://www.fmp.com | - Anonymous |
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote:
I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/
I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an "Approved:" [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so.
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
-- Lindsay Haisley | "The difference between | PGP public key FMP Computer Services | a duck is because one | available at 512-259-1190 | leg is both the same" | http://pubkeys.fmp.com http://www.fmp.com | - Anonymous |
Lindsay Haisley wrote:
You can't remove a moderator password through the GUI. You could always enter some obscure string that you will immediately forget, and that's probably as good, but if you really want to remove it, you have to set
mod_password = None
via bin/withlist or bin/config_list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (6)
-
b19141@anl.gov -
Geoff Shang -
Geoff Shang
-
Lindsay Haisley -
Lindsay Haisley -
Mark Sapiro