Unexpected password reminder from this list
Hi,
Last night at 11:15 or so, I received a password reminder from Mailman-users, with my correct password. Only problem is, I never requested such a reminder. Did anyone else get one, was someone testing something with a random sample of subscribers, or was I targeted (not realizing that they'd have to hack my Email account to get the password)?
Thanks,
Jayson
Hello
Am 06.08.2018 um 10:22 schrieb Jayson Smith:
Last night at 11:15 or so, I received a password reminder from Mailman-users, with my correct password. Only problem is, I never requested such a reminder. Did anyone else get one, was someone testing something with a random sample of subscribers, or was I targeted (not realizing that they'd have to hack my Email account to get the password)?
Password reminders are enabled on List level. Each admin of a list can set that. You can disable monthly reminders in the listinfo page after login with your list credentials.
Kind regards, Christian Mack
Hi again,
This was not a monthly password reminder. It specifically said that "You—or someone posing as you—has requested" this password reminder.
Jayson
On 8/6/2018 5:52 AM, mailman-admin wrote:
Hello
Am 06.08.2018 um 10:22 schrieb Jayson Smith:
Last night at 11:15 or so, I received a password reminder from Mailman-users, with my correct password. Only problem is, I never requested such a reminder. Did anyone else get one, was someone testing something with a random sample of subscribers, or was I targeted (not realizing that they'd have to hack my Email account to get the password)?
Password reminders are enabled on List level. Each admin of a list can set that. You can disable monthly reminders in the listinfo page after login with your list credentials.
Kind regards, Christian Mack
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/jaybird%40bluegrasspal...
On August 6, 2018 3:14:05 AM PDT, Jayson Smith <jaybird@bluegrasspals.com> wrote:
Hi again,
This was not a monthly password reminder. It specifically said that "You—or someone posing as you—has requested" this password reminder.
Anyone can request a password reminder for any address from either the options or private archive login pages.
-- Mark Sapiro <mark@msapiro.net> Sent from my Not_an_iThing with standards compliant, open source software.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Mon, 2018-08-06 at 05:33 -0700, Mark Sapiro wrote:
On August 6, 2018 3:14:05 AM PDT, Jayson Smith <jaybird@bluegrasspals .com> wrote:
Hi again,
This was not a monthly password reminder. It specifically said that "You—or someone posing as you—has requested" this password reminder.
Anyone can request a password reminder for any address from either the options or private archive login pages.
What's your thoughts on adding reCAPTCHA to the 2nd half of the listinfo page in order to mitigate some of that?
- -Jim P. -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltojrQACgkQJxVetMRa JwXrpA/8CuVcF+vETaZaxoKIU5+XdfwY5iKLcWni1fBcZDppBMaUNHbJ53KdENxm ZQaIEZ9KCwWMBIOXTLnfxYeSoORubhsJMUMiWDmzGS7S9DkD3YoJv0FO1VkM5wur I+Ayaa4WtZ2QZwFP80v4JNnH/9JzbwfzqiNbckU6MqJvHPcV3qP7LatYu4qkuLJC vU2a9c2hqKaWhabJvvMFs5WLuFkdNAikjHpt8emZf8fpfdYac7FSBEZ752bRU3Qx 2kxzwdbNurXRwWZrw+/b1L6w22FbQVhYW/whbVR7Ex5zHukY/jzN2dUV47sGN09C N615keGtvGYjYt55IGMpbm/LVjwmQ0+6XyEbNSTApFPwEy1InQRRqC0LGLKJUN77 OUzC0ccop8V2bHGJ1ICmGqTGRAj2yvr4yJMITj23MNGa50TG6xyD1DqxRUoH/FjM kKDWjP9GR5GXD41hHM9jHFlzQnxKSf0vwltQeCHClNcmdvI2y8fW3ziNugXZrPQl GsmAsuVA2MXO6d6ZPNq9aNOu7/G6j1adIhieFLoZplwMxv7HTTatBNFnLLeVlOHu i5b4XpzplAqSAv0uacybe8IwmDd8ySQbOYxyi23seQ29wc5yc/XAr16ywdHItXKt 5ezHp+jpZ4/mox4k8pPL/9fkmp6JlFyytfpqGGGB21QKh3/vySA= =RIH6 -----END PGP SIGNATURE-----
On 08/06/2018 02:08 PM, Jim Popovitch via Mailman-Users wrote:
What's your thoughts on adding reCAPTCHA to the 2nd half of the listinfo page in order to mitigate some of that?
I don't want google to know about my users and I don't want people to unblock google in order to get passwords
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Mon, 2018-08-06 at 16:20 -0400, Ruben Safir wrote:
On 08/06/2018 02:08 PM, Jim Popovitch via Mailman-Users wrote:
What's your thoughts on adding reCAPTCHA to the 2nd half of the listinfo page in order to mitigate some of that?
I don't want google to know about my users and I don't want people to unblock google in order to get passwords
I don't disagree with that, and I understand where you're coming from. I wish Redhat/Ubuntu/Debian would take the lead on an alternative.
- -Jim P. -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltpD1IACgkQJxVetMRa JwU74A/9Ft9hf8mPrEzj9eTC8Y0VU3L7/p65NC68GFHmYHv1K2y+Vc1gvcuJMzTt 4uIT8z0kJ1xmupGGitzlE0kQ6RDuPTn1QiHDCl6IpgtS6HUsXPO0xqRpwe/KWVKE Oo1jwfpYtQ/TSsK20PBrY3Cn5INc5Fvmatqau4AGB/ukD1aPsvXma2MZ+g6Dxg6S UebqakMKw9s7J+4SjqChrvC/blk5WruC4woIvur8pQCr/wyqBhS2DdHmzFBfBq9m EEpRn/yF1IBIdEprITMHWGtaNxt+nNQKhc0Han/pE9t+hDHVrTbtQ8Wg4qezROC0 1fFnnSeYdxUxt6KpkBzAYTa+E76DlfQt8G4TU6YC7MSECL2vQ3aKjTcPSJaCVeWD nlehCyOCooqVqUuheSwpwg4BcnSyr1gUlxHBVd9gHklsyrvzJ/zBlFCgM5O8aHP1 3uU5iJRXJUdKT31ys3hN9qdUap2/9PhTvbF0anJqRAMzVDX88PKtF003LkeA+zNi GQ4tkMVmLUWeKOHWcn174zeTSZiB0ZyyRmH2TC5MrOKD2wMrhPUpF/LQOM3ahq5P 0z3rbM9/jTXZzbTWJji4ZHL45E7qnCeXU3FSeQ0Z8IhujuGfaYMyt6KYLupqpXOV 5BcsZwfd8Bm7JdrHrdK5aBO5W0RW56Lz58pLHTl1wEZ58EyNwfQ= =tSt/ -----END PGP SIGNATURE-----
On 08/06/2018 11:08 AM, Jim Popovitch via Mailman-Users wrote:
On Mon, 2018-08-06 at 05:33 -0700, Mark Sapiro wrote:
Anyone can request a password reminder for any address from either the options or private archive login pages.
What's your thoughts on adding reCAPTCHA to the 2nd half of the listinfo page in order to mitigate some of that?
At this point I have no interest. I think most "other address" password requests are either inadvertence, curiosity, or malice on the part of humans.
If and when I see evidence of massive robotic reminder requests, I may rethink this, but I note that the implementation of reCAPTCHA on the web subscribe form on all Mailman 2.1 @python.org lists didn't seem to make much of a dent in the bogus web subscribes we were seeing despite the fact that the form must first be retrieved by GET and then the POST can't come too soon thereafter.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Mon, 2018-08-06 at 19:00 -0700, Mark Sapiro wrote:
On 08/06/2018 11:08 AM, Jim Popovitch via Mailman-Users wrote:
What's your thoughts on adding reCAPTCHA to the 2nd half of the listinfo page in order to mitigate some of that?
At this point I have no interest. I think most "other address" password requests are either inadvertence, curiosity, or malice on the part of humans.
If and when I see evidence of massive robotic reminder requests, I may rethink this, but I note that the implementation of reCAPTCHA on the web subscribe form on all Mailman 2.1 @python.org lists didn't seem to make much of a dent in the bogus web subscribes we were seeing despite the fact that the form must first be retrieved by GET and then the POST can't come too soon thereafter.
Ack. FWIW, I think that's a healthy attitude about this.
Thanks,
- -Jim P. -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAltpD1UACgkQJxVetMRa JwXRLxAAwxs7zjf6VAIeHgfR0iiEffvWyRDHekNi3uMub4c9z7seTDlyPAgni9nj cr8NHwVojBdzZAjdRggzL1MUmfOKBr9HHU+Di3VSrPOJcSeePPsg4aYJI9gerH1C ZDTX8A+BT6jHtEJ85bwUSWFeiI8/ZichoEeAGIA4P5r5ZHY51yDgkh67FS+rrwt3 fT8OcgJVv4PYa7PNb53q7gQBZPGN0CrDRypqbtARAX5ll9R2YPdiNTVDz++NmBJX 8nRHRb/fBTcjJyAlt2Cdzduo860e2hxJCA1MpjqT8oQt8OHlXLvr4cUde+IOPoLI LA78phK8GDP87tLZmb0mnQuCtCsilZZnkrPE0XJiSRUg4p6ncBPBr1BxMSlPsn3z Vf7QHBfkN2NY6+PjsbmjgMbDmInhwhccZslFQiQZ41hXAdYUo6rXUnNIbgcnyPdM JLuGT/PkP124e8u3FkDjZ0T2MbKDb67R/AgUvg8yfO/qz6ju/VqKiXJMJ+dMN+0v 0V+2plUEF5wH/ScJU6xlUQyLNkYcin21VYB8LrhB/hHaK4emNLFsqwDCmbEj0NCf vHSHcg7+nQfkBJIHg4s0NP8fYuXIQbvkJfGI5HoWvJ+V5UyzgMZguqA8owHA1uXi xD4QY/K50exJ/4EUsaIAyJL4h7mLIy20ZUP2hNNZ3ne/xQ1lBGY= =RMQw -----END PGP SIGNATURE-----
participants (5)
-
Jayson Smith -
Jim Popovitch -
mailman-admin -
Mark Sapiro -
Ruben Safir