[TripleO] Douglas Viroel for tripleo-ci core

Jeremy Stanley fungi at yuggoth.org
Wed Jan 5 13:47:38 UTC 2022


On 2022-01-05 14:48:35 +0200 (+0200), Marios Andreou wrote:
> thanks fungi for looking into that and removing that person but
> does it mean we potentially have more folks being spammed by us on
> a regular basis :/

Yes, I clean them up when they come to my attention.

> is there a way to know all the addresses that were subscribed in
> this way and remove them all?

Not easily, because it's exploiting the subscription confirmation
mechanism in Mailman, so it's indistinguishable from someone who
received the confirmation message and followed the URL or replied.
Usually the only way I can tell is that an address appears to have
attempted to subscribe to a very large number of mailing lists
(most/all published lists we host) but only one or two actually get
confirmed. I'm trying to put together a heuristic to identify people
who seem to have been subscribed under those circumstances via log
analysis.

The routine used to generate the cryptographic hash which serves as
a confirmation token is too weak/short, and a (small) percentage of
them are brute-forcible in a matter of hours by a determined
attacker. We're working on an upgrade to Mailman 3, which uses much
stronger authentication and confirmation tokens. I'm hoping we'll
have it ready within a few months, but the migration will be
somewhat disruptive as well since it's a rewrite of much of the
underlying platform.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220105/097478a3/attachment.sig>


More information about the openstack-discuss mailing list