[TripleO] Douglas Viroel for tripleo-ci core
fungi at yuggoth.org
Wed Jan 5 13:47:38 UTC 2022
On 2022-01-05 14:48:35 +0200 (+0200), Marios Andreou wrote:
> thanks fungi for looking into that and removing that person but
> does it mean we potentially have more folks being spammed by us on
> a regular basis :/
Yes, I clean them up when they come to my attention.
> is there a way to know all the addresses that were subscribed in
> this way and remove them all?
Not easily, because it's exploiting the subscription confirmation
mechanism in Mailman, so it's indistinguishable from someone who
received the confirmation message and followed the URL or replied.
Usually the only way I can tell is that an address appears to have
attempted to subscribe to a very large number of mailing lists
(most/all published lists we host) but only one or two actually get
confirmed. I'm trying to put together a heuristic to identify people
who seem to have been subscribed under those circumstances via log
The routine used to generate the cryptographic hash which serves as
a confirmation token is too weak/short, and a (small) percentage of
them are brute-forcible in a matter of hours by a determined
attacker. We're working on an upgrade to Mailman 3, which uses much
stronger authentication and confirmation tokens. I'm hoping we'll
have it ready within a few months, but the migration will be
somewhat disruptive as well since it's a rewrite of much of the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: not available
More information about the openstack-discuss