Over the last few months, twistedmatrix.com's mailman installation has been used increasingly frequently to execute denial-of-service attacks against people's mailboxes. This is accomplished by sending huge numbers of subscription requests to our website, which in turn sends huge numbers of confirmation emails to their inbox. Based on some information that some targeted users have sent me, I now believe that this is to cause those users' mail quotas to be exceeded so that password reset or login notification emails won't reach them.
This has been going on for some time, but the frequency and severity of the attacks seem to be increasing; I only recently realized that this was considerably worse than an annoyance for those affected. I now have at least 1 confirmed report of this attack being a part of a (partially successful) identity theft.
This isn't the only problem we have with email:
We're running our own infrastructure which puts load on our already beyond-overloaded volunteer system administration team.
Despite running our own infrastructure, we are not dogfooding Twisted at all in the process, so we're not even learning anything useful from the pain; "exim is bad" is a lesson we've already learned many times, we do not need to keep learning it.
Given how hard it is for us to upgrade Mailman in our current system, we aren't even dogfooding our fellow community project terribly well.
Our infrastructure runs on the same host as the website and the buildmaster, overloading a very creaky system.
In addition to mailing lists, we run a mail forwarder. Our server's sender reputation is ... not great. We don't have SPF records, we don't do DKIM, and we don't provide authenticated SMTP for users, so emails just come from "wherever" when they are sent from, e.g. 'glyph(a)twistedmatrix.com' :-).
In order to address this, as soon as I can reasonably manage to do so, I will be moving Twisted's email infrastructure to mailgun.com <http://mailgun.com/>, a product that I've been successfully using for a range of personal domains (in particular, the divmod.com <http://divmod.com/> email forwarder - yes, I still operate that, when the Twisted community promises you an email address for life you get it ;-)). Additionally, Mailgun uses a bunch of Twisted within their infrastructure, so (although we won't be operating it) we will actually be dogfooding considerably more.
(Mailgun is a product of my employer, Rackspace, but they've given us a generous open source discount so there's no conflict of interest; the Twisted project won't be spending money on this.)
There will be a couple of inconveniences immediately after the transition:
At first, there will be no self-service subscription to mailing lists any more. If you want to subscribe, you'll have to send a message to twisted-python-owner(a)twistedmatrix.com <mailto:email@example.com> and the list administrator (right now, probably just me) will manually add your address. (Self-service unsubscription will still be possible.)
I'm not sure if I'll be able to keep the list archives at https://twistedmatrix.com/pipermail/ <https://twistedmatrix.com/pipermail/> updated, at least at first. I would encourage everyone to use http://news.gmane.org/gmane.comp.python.twisted <http://news.gmane.org/gmane.comp.python.twisted> and http://news.gmane.org/gmane.comp.python.twisted.web <http://news.gmane.org/gmane.comp.python.twisted.web> in the meanwhile.
Speaking of the contents of that sad URL, many disused mailing lists will be deleted. I doubt anyone will notice since there haven't been any posts to most of them in many years.
If you presently send email from a twistedmatrix.com <http://twistedmatrix.com/> address, you will probably want to start using the mailgun forwarder so that your messages will have nice shiny DKIM/SPF headers; I suspect you may start having more deliverability problems than you already do once other mail servers notice that we have said records if you're not using them. I'll distribute SMTP credentials via GPG-encrypted email to everyone I'm aware of who uses such an address.
There will be considerable benefits though:
For those of you with @twistedmatrix.com <http://twistedmatrix.com/> addresses, Mailgun operates a pretty conservative low-pass spam filter, but in looking at the analytics from my own personal domains, it really helps a lot and it is definitely more effective than the setup we've got right now.
Deliverability and mail-sending performance should be much improved; messages should arrive faster because they will be quarantined or deferred-bounced by major senders like GMail et. al. far less often, because we'll be forwarding less spam and legitimate messages will have appropriate anti-spam headers.
Trac will get faster at certain times because email DoSes should stop hitting the server.
Administrative overhead will decrease; we can just stop maintaining email ourselves.
Last but certainly not least, we'll stop being a collective unwilling accessory to cybercrime.
Probably these changes will all be pretty subtle, and most folks won't notice, but I wanted it to be clear in advance that they were intentional, in case there is some disruption associated with them :-). If anyone wants to give me a hand with parts of this (for example, setting up a smarthost configuration so that trac can still send email) please let me know.
Another Twisted release is upon us -- this one is small, but has some nice to haves. In this release is:
- twisted.application.internet.ClientService, a service that maintains a persistent outgoing endpoint-based connection -- a replacement for ReconnectingClientFactory that uses modern APIs;
- A large (77% on one benchmark) performance improvement when using twisted.web's client on PyPy;
- A few conch modules have been ported, in preparation for further porting of the SSH functionality;
- Full support for OpenSSL 1.0.2f and above;
- t.web.http.Request.addCookie now accepts Unicode and bytes keys/values;
- `twistd manhole` no longer uses a hard-coded SSH host key, and will generate one for you on the fly (this adds a 'appdirs' PyPI dependency, installing with [conch] will add it automatically);
- Over eighteen tickets overall closed since 16.0.
As usual, you can get the NEWS file at https://twistedmatrix.com/Releases/pre/16.1.0pre1/NEWS.txt and download the tarball from https://twistedmatrix.com/Releases/pre/16.1.0pre1/.
Please test this release with your applications, and let me know if all goes smoothly. If there's no reported issues, the release will occur in roughly a week.
On behalf of Twisted Matrix Laboratories, I am honoured to announce the release of Twisted 16.0!
Twisted 16.0 brings some important changes, and some nice-to-haves as well. The major things are:
- TLS endpoints have arrived! They're like the old `ssl:` endpoints, but support faster IPv4/IPv6 connections (using HostnameEndpoint) and always do hostname verification.
- Conch now uses Cryptography instead of PyCrypto for underlying cryptographic operations. This means it'll work much better on PyPy!
- Headers objects (notably used by t.web.server.Request) now support Unicode for the vast majority of cases, encoding keys to ISO-8859-1 and values to UTF-8.
- WSGI support and AMP have been ported to Python 3, along with a handful of other modules.
- More shedding of the past, with the GTK+ 1 reactor being removed.
- Over 45 tickets have been closed since 15.5.
For more information, check the NEWS file (link provided below).
You can find the downloads at <https://pypi.python.org/pypi/Twisted> (or alternatively <http://twistedmatrix.com/trac/wiki/Downloads>). The NEWS file is also available at <https://github.com/twisted/twisted/blob/twisted-16.0.0/NEWS>.
Many thanks to everyone who had a part in this release - the supporters of the Twisted Software Foundation, the developers who contributed code as well as documentation, and all the people building great things with Twisted!
Amber Brown (HawkOwl)
Twisted Release Manager
exarkun spotted a regression in the 16.0.0 prereleases, where calling endpoints' serverWithString with a SSL strports description and an empty chain file would give an unhelpful error message.
These issues have been fixed and are in Twisted 16.0.0pre3. You can find it and the NEWS file at https://twistedmatrix.com/Releases/pre/16.0.0pre3/ .
If no further issues are identified, Twisted 16.0 will be released this week (for real!).
- Amber Brown
Twisted Release Manager