On Wed, Jan 5, 2022 at 3:55 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2022-01-05 14:48:35 +0200 (+0200), Marios Andreou wrote:
thanks fungi for looking into that and removing that person but does it mean we potentially have more folks being spammed by us on a regular basis :/
Yes, I clean them up when they come to my attention.
is there a way to know all the addresses that were subscribed in this way and remove them all?
Not easily, because it's exploiting the subscription confirmation mechanism in Mailman, so it's indistinguishable from someone who received the confirmation message and followed the URL or replied. Usually the only way I can tell is that an address appears to have attempted to subscribe to a very large number of mailing lists (most/all published lists we host) but only one or two actually get confirmed. I'm trying to put together a heuristic to identify people who seem to have been subscribed under those circumstances via log analysis.
sounds neat (identifying those subscriptions in this way) ;)
The routine used to generate the cryptographic hash which serves as a confirmation token is too weak/short, and a (small) percentage of them are brute-forcible in a matter of hours by a determined attacker. We're working on an upgrade to Mailman 3, which uses much stronger authentication and confirmation tokens. I'm hoping we'll have it ready within a few months, but the migration will be somewhat disruptive as well since it's a rewrite of much of the underlying platform.
thanks for taking the time to explain regards
-- Jeremy Stanley