[Mailman-Developers] add to FAQ? - mailman full raw archive mboxes not anti-spammed

boud boud1 at wp.pl
Wed Feb 18 18:06:27 EST 2004 

hi mailman people, terri,

  i looked for information regarding   archtocnombox.html  relating to 
the problem of a full raw mbox archive being non-antispammed, but couldn't
find any discussion.  It's clear somebody has thought about it, since 
the file exists.

Are there any plans (or any options already present) to have the full
raw mbox archive, but corrected for "@" -> " at " (maybe other obvious
corrections too), to be made available like the raw spammable version
is available if the  archtocnombox.html  template is not chosen?

It seems to me that this should be made an obvious option - or else
that the default should be that the full raw archive .mbox is *not*
available.

At least, could info on this be added to the FAQ somewhere, so that 
people can easily find out what has already been done? E.g.

> 11.2 What does Mailman do to help protect me from unsolicited bulk
> email (spam)?  
http://www.list.org/mailman-member/node40.html

i've added a comment on barry warsaw's wiki pages:
http://zope.org/Members/bwarsaw/MailmanDesignNotes/MailmanProblems

and below is my own analysis.

thanks
boud (convert from sympa to mailman ;)

PS: Sorry if this should be to mailman-users rather than mailman-developers,
but it seems to me like a developers' issue.

----------------------------------------------------------------------

SPAM PROBLEM:
HYPOTHESIS
SOLUTION 2.1.4

HACK SOLUTION 2.0.11 (AND PROBABLY 2.1.1)
(1) remove link to *.mbox in /var/lib/mailman/Mailman/Archiver/HyperArch.py
(2) remove compiled versions HyperArch.py[oc]
(3) test on an archive (e.g. imc-pl-tech ;)
(4) make the *.mbox/*.mbox files inaccessible (since google links remain)
(5) think about newlist s (maybe nothing needs doing)


SPAM PROBLEM:
------------

i think this is a known spam problem - by default, it looks like the
archive files linked under "download the full raw archive" like the
following etc are NOT antispammed:

http://lists.mydomain.org/mailman/public/mylist.mbox/mylist.mbox

It seems to be present in 2.0.11 and 2.1.1 


HYPOTHESIS
----------
IMHO the reason why this is probably not easy to solve is that this
is where mail is automatically saved when it's received. If this is 
filtered by " at " -> "@" then it means that overall there are typically 4
copies of the entire mailbox (e.g. html version, monthly archives, 
true mailbox with @ hidden from external access, and " at " version 
for web access).

i couldn't find if this has been discussed, but it looks like there's a 
simple solution in 2.1.4.


SOLUTION 2.1.4
--------------
It looks like the solution in mailman-2.1.4 is to offer different templates:

mailman-2.1.4/templates/en/archtoc.html
mailman-2.1.4/templates/en/archtocentry.html
mailman-2.1.4/templates/en/archtocnombox.html   ->  this one has no mbox

e.g.
http://mail.python.org/pipermail/mailman-announce/  has no *.mbox/*.mbox
In fact, 
http://mail.python.org/pipermail/mailman-announce.mbox/
exists but nothing in it is accessible.

HACK SOLUTION 2.0.11 (AND PROBABLY 2.1.1)
----------------------------------------

In 2.0.11, the line pointing to the .mbox is in 

/var/lib/mailman/Mailman/Archiver/HyperArch.py  (for Debian anyway ;)

      You can get <a href="%(listinfo)s">more information about this list</a>
      or you can <a href="%(fullarch)s">download the full raw archive</a>
      (%(size)s).
     </p>

solution:

(1) remove the link to the full .mbox  in
/var/lib/mailman/Mailman/Archiver/HyperArch.py

To do this, 

replace

      You can get <a href="%(listinfo)s">more information about this list</a>
      or you can <a href="%(fullarch)s">download the full raw archive</a>
      (%(size)s).
     </p>

by

      You can get <a href="%(listinfo)s">more information about this list.</a>
     </p>


(2) remove compiled versions (in my case the .pyc gets automatically recompiled)

rm /var/lib/mailman/Mailman/Archiver/HyperArch.py[co]

(3) test this

cd /var/lib/mailman/archives/public/
/usr/lib/mailman/bin/arch mylist

Then check out:
http://lists.mydomain.org/pipermail/mylist/

Hopefully there will be no link to the .mbox and even direct access will
be impossible.

(4) make the .mbox files inaccessible - since google links will still 
hang around for some time
chmod go-rw /var/lib/mailman/archives/private/*.mbox/*.mbox

(5) probably nothing needed when running   newlist  for new lists.

Making new lists will, by default, write *.mbox/*.mbox which are web
accessible, but nobody is going to link to them (unless paranoid,
deliberately wants to subject indymedia users to spam, ...)


anti-spam solidarity
boud


----------------------------------------------------------------------

More information about the Mailman-Developers mailing list