[Mailman-Users] Obscure addresses problem
antennex at swbell.net
Tue Sep 5 14:56:17 CEST 2006
Brad Knowles <brad at stop.mail-abuse.org> wrote: At 7:06 PM -0700 2006-09-04, Jack Stone wrote:
> I looked at FAQ 4.4 and the method described there using an external
> archiving tool like MHonArc with Mailman methinks is a monster [...]
It's not as clean as we would like, no. That is an area we are
hoping to improve upon for future releases.
<JLS> Needless for me to say, Mailman is a great system and everything cannot be done at once. Actually, I have found Mailman a lot easier to *install* than majordomo. MM worked right out of the box, but MJD can be a pain about permissions and configuring as matured as it is. I helped work up a separate installer script (including for vhosts) that made it much more of a breeze.
> [...] compared
> to my manner of cron-run scripts that updates my custom archives every
> 15 minutes to display the added messages. My need for a "fix" was minor
> IF I had just know where to look.
Therein lies the key. I'm not sure what documentation you have or
have not read, and which FAQ entries you have or have not seen, but
the documentation should have made reference to the mm_cfg.py file
and the fact that you should look through the Defaults.py file to see
what options you may want to change, etc....
If you can tell us what parts of the documentation are not clear, we
will try to get those fixed.
<JLS> Actually, because of the time crunch, I just hadn't had time to read everything although I did quickly scan the FAQ and thoroughly man pages. I tested of course on a test list until I thought I had everything working to move over to a production list. My main concern was not to interupt the list.
The knob in the web site configs about changing from YES to NO had me distracted thinking it was the place to change my setting for this preference. I can tell from Dan's last post, he is also still confused about what that does there. That web knob caused me to be distracted from looking more thoroughly in other places -- like the Defaults.py -- even though I had looked at some things there -- but just for other things at the time -- like the vhost designation -- which I fixed by using the CLI "newlist" command.
Basically, I had to discover which things were better to use the CLI or the web configs. In my experience, I found to create the newlist from CLI and then go to the net list's web site and configure things -- except of course, the archive issue on obscuring. It's real purpose is still a mystery to me as I didn't observe any change on anything bu switching from YES to NO.
> Next, I'm just looking for a knob to drop the "display" of the archives
> in Mailman's web site and have members continue to use only the one they
> have been used to for several years -- and is not available for email
I'm not clear on what you're asking for. Could you elaborate?
<JLS> Now that I have successfully changed the obscuring to non-obscuring, the Mailman archive now shows the email addresses which would be available to any spammer that took the time to join -- my site is especially at risk now that I even ID'ed the domain during this thread. My fault in doing that. It would be a simple matter for a spammer to download the compressed archives and then run them through an email extraction script. As I opined before, even the obsured used now in Mailman archives would not be safe if a spammer used a special script of the downloaded archive files to convert the "xyz at adomain.net" I couldn't do it, but a good script guy could, I imagine.
So, I just need to disable access to the Mailman version of the archive which I consider vulnerable to harvesting in its present form. Plus, I don't need it with my own archives available and they are safe.
> I still want to keep generating the mylist.txt because my
> scripts use that monthly file. Just don't want it to appear anywhere to
> the members or one that would join to mis-use it for spam lists.
If you search the FAQ for "archive", you might find some relevant information.
<JLS> Plan to do more of that now I have time.
> Would be nicer, it seems if Mailman "X"ed out the email addresses as
> well rather than the present "obscuring".
That's another area of improvement that we have planned for future versions.
<JLS> Just makes a great product all the better!! Keep up the good work and many thanks for the help on my one important issue here. Didn't realize this hadn't come up before.
As I said before, I have watched MM mature for several years and even installed it once a couple of years ago (2 or 3) -- but didn't think it was ready until now. Many things have been fixed.improved since then.
BTW: One other thing & not meaning to be nit picky, but are you aware that FBSD ports show this program as containing numerous vulnerabilities?
Here's what the portaudit sez, just FYI:
Affected package: mailman-2.1.8_3
Type of problem: mailman -- Multiple Vulnerabilities.
Jack L. Stone
More information about the Mailman-Users