Open Stack

On Wed, Jan 5, 2022 at 3:55 PM Jeremy Stanley <fungi at yuggoth.org> wrote:
>
> On 2022-01-05 14:48:35 +0200 (+0200), Marios Andreou wrote:
> > thanks fungi for looking into that and removing that person but
> > does it mean we potentially have more folks being spammed by us on
> > a regular basis :/
>
> Yes, I clean them up when they come to my attention.
>
> > is there a way to know all the addresses that were subscribed in
> > this way and remove them all?
>
> Not easily, because it's exploiting the subscription confirmation
> mechanism in Mailman, so it's indistinguishable from someone who
> received the confirmation message and followed the URL or replied.
> Usually the only way I can tell is that an address appears to have
> attempted to subscribe to a very large number of mailing lists
> (most/all published lists we host) but only one or two actually get
> confirmed. I'm trying to put together a heuristic to identify people
> who seem to have been subscribed under those circumstances via log
> analysis.

sounds neat (identifying those subscriptions in this way) ;)

>
> The routine used to generate the cryptographic hash which serves as
> a confirmation token is too weak/short, and a (small) percentage of
> them are brute-forcible in a matter of hours by a determined
> attacker. We're working on an upgrade to Mailman 3, which uses much
> stronger authentication and confirmation tokens. I'm hoping we'll
> have it ready within a few months, but the migration will be
> somewhat disruptive as well since it's a rewrite of much of the
> underlying platform.

thanks for taking the time to explain

regards



> --
> Jeremy Stanley