[Mailman-Users] ban member from joining not working
rae at gitchee.com
Tue Nov 29 15:48:17 CET 2005
At 10:19 AM 11/28/2005, Mark Sapiro wrote:
>The ban list will prevent subscribing a banned address directly, but I
>think there is a way around it. Namely, if addr1 is banned, a person
>who can receive confirmations sent to another address can subscribe
>that address and then change the subscription address to addr1. I
>haven't verified this, but I think it's true. If so, I think it's a
>In your case, you can check Mailman's 'subscribe' log to see if the
>banned address actually subscribed, or possibly identify a different
>address that subscribed and was possibly later changed to the banned
>address. Unfortunately for this investigation, address changes aren't
>logged or reported.
The log indicates that the specific address was subscribed and
confirmed through the web so that eliminates the "subscribe and
Nov 26 13:47:08 2005 (54395) mylist: new (digest)
"archive at mail-archive.com" <The Mail Archive>, via web confirmation
I ran a test trying to subscribe an address that is listed in the ban
list. From the listinfo page, the subscription request resulted in a
statement that the address was banned. From the
listname-subscribe at domain.com, the subscription request received a
reply that the address was banned. So the ban is working. I now
believe that the subscription was not done in a normal manner but may
have been taking advantage of a hole in the program's operations. I'm
checking other server logs to get to the bottom of it.
Sidenote: If you don't know who The Mail Archive is, you should take
a minute to check it out. If you run any private lists, you
definitely do NOT want that address subscribed to it. They operate a
site for anyone to subscribe any list for public archiving without
the listowner's approval.
>subscribe_policy = confirm only means the user has to confirm. It has
>nothing to do with banning per se.
>As far as prevention is concerned, be sure that admin_notify_mchanges
>is Yes so you will be notified of subscribes and unsubscribes (but not
>address changes), and consider setting subscribe_policy to 'Require
>approval' or 'Confirm and approve'.
Yes, I had that in effect at the time and saw the subscription right
after it happened and was able to unsubscribe it. I have now also
changed the subscribe_policy to Confirm and Approve. Not real happy
with that but it seems that I am forced to do it under the circumstances.
More information about the Mailman-Users