Mailing list shutting down...

classic Classic list List threaded Threaded
40 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Mailing list shutting down...

Richard Hipp-3
Unfortunately, I'm going to need to shut down this mailing list due to
robot harassment.  I am working to come up with a fix or an
alternative now.  Your suggestions are welcomed.

This mailing list has operated for many years using GNU MailMan.
Unfortunately, that software is not able to cope with modern robot
spammers, even with the latest updates.  And the source code for
MailMan is sufficiently opaque that I am unable to work on it.

The most recent problem is that robots are visiting the subscription
page and entering innocent user's email addresses and names.  This
causes a confirmation email to be sent to that user.  If it were just
single confirmation email that the user could ignore, that would be
fine.  But apparently MailMan sends one email for each subscription
request.  The robots have figured this out and are putting in hundreds
of subscription requests for the same individual, apparently to harass
them.

I have already suspended new subscriptions.  Existing subscribers will
be able to continue using this list until I come up with a replacement
(or a fix to the current problem) but no new subscribers will be
accepted.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Gary R. Schmidt
On 13/06/2018 21:22, Richard Hipp wrote:

> Unfortunately, I'm going to need to shut down this mailing list due to
> robot harassment.  I am working to come up with a fix or an
> alternative now.  Your suggestions are welcomed.
>
> This mailing list has operated for many years using GNU MailMan.
> Unfortunately, that software is not able to cope with modern robot
> spammers, even with the latest updates.  And the source code for
> MailMan is sufficiently opaque that I am unable to work on it.
>
> The most recent problem is that robots are visiting the subscription
> page and entering innocent user's email addresses and names.  This
> causes a confirmation email to be sent to that user.  If it were just
> single confirmation email that the user could ignore, that would be
> fine.  But apparently MailMan sends one email for each subscription
> request.  The robots have figured this out and are putting in hundreds
> of subscription requests for the same individual, apparently to harass
> them.
>
> I have already suspended new subscriptions.  Existing subscribers will
> be able to continue using this list until I come up with a replacement
> (or a fix to the current problem) but no new subscribers will be
> accepted.
>
This is an increasing problem, and has been discussed on the Mailman
mailing list recently, you should join them and see what mitigation
strategies are available.

        Cheers,
                Gary B-)
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Tim Streater-3
In reply to this post by Richard Hipp-3
On 13 Jun 2018, at 12:22, Richard Hipp <[hidden email]> wrote:

> Unfortunately, I'm going to need to shut down this mailing list due to
> robot harassment.  I am working to come up with a fix or an
> alternative now.  Your suggestions are welcomed.

Perhaps another subscription mechanism is needed, if that is their attack vector. Personally I'd be loath to see this list moved to a web page, for instance.


--
Cheers  --  Tim
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Richard Hipp-3
On 6/13/18, Tim Streater <[hidden email]> wrote:
> Personally I'd be loath to see this list moved to a web page, for
> instance.

We invite you to submit working code that implements your desired solution.  :-)


--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Olivier Mascia
In reply to this post by Richard Hipp-3
> Le 13 juin 2018 à 13:22, Richard Hipp <[hidden email]> a écrit :
>
> Unfortunately, I'm going to need to shut down this mailing list due to
> robot harassment.
> ...
> I have already suspended new subscriptions.  Existing subscribers will
> be able to continue using this list until I come up with a replacement
> (or a fix to the current problem) but no new subscribers will be
> accepted.

I don't have experience with GNU MailMan, but isn't there some facility to protect the subscription request page using some Googlesque "I'm not a Robot!" CAPTCHA, or anything like if GNU MailMan does not want to offer people to have whatever business with Google for any reason?

This, plus a black-listing mechanism which would warn admins (once!) when the same non-member subscription request has happened let's say twice, without user confirmation, and simply denies new requests for that same email until admins either validate the subscription or reset it.

Might complicate the work of robots enough to render the game uninteresting.

That's a personal preference, but I value mailing lists and appreciate much less web-based forums.
--
Best Regards, Meilleures salutations, Met vriendelijke groeten,
Olivier Mascia


_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Simon Slavin-3
In reply to this post by Richard Hipp-3
On 13 Jun 2018, at 12:22pm, Richard Hipp <[hidden email]> wrote:

> The most recent problem is that robots are visiting the subscription
> page and entering innocent user's email addresses and names.

I'm surprised the server lasted this long.  That problem has been around since 2010.  I don't know what you've already tried, or what type of bot is abusing the list, but you might try the solution described in the lower part of

<https://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html>

and also the measure recommended here:

<https://mail.python.org/pipermail/mailman-users/2015-May/079154.html>

However, newer bots which work around these may have developed since those were invented.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Jungle Boogie
In reply to this post by Richard Hipp-3
On 13 June 2018 at 04:22, Richard Hipp <[hidden email]> wrote:
> Unfortunately, I'm going to need to shut down this mailing list due to
> robot harassment.  I am working to come up with a fix or an
> alternative now.  Your suggestions are welcomed.
>


OpenBSD uses Majordomo for their mailing lists:
https://en.wikipedia.org/wiki/Majordomo_(software)

However, on the page below they indicate how they fight spam - with
spamd and SpamAssassin.
https://www.openbsd.org/mail.html

https://man.openbsd.org/spamd
http://spamassassin.apache.org/

Maybe those can give you an idea on how to fight the spam submitted to
your subscribers.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Chris Brody
On Wed, Jun 13, 2018 at 10:44 AM jungle Boogie <[hidden email]> wrote:
> [...]
> http://spamassassin.apache.org/

Maybe just add SpamAssassin to the existing GNU MailMan setup?

http://www.jamesh.id.au/articles/mailman-spamassassin/
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Richard Hipp-3
On 6/13/18, Chris Brody <[hidden email]> wrote:
> On Wed, Jun 13, 2018 at 10:44 AM jungle Boogie <[hidden email]>
> wrote:
>> [...]
>> http://spamassassin.apache.org/
>
> Maybe just add SpamAssassin to the existing GNU MailMan setup?
>
> http://www.jamesh.id.au/articles/mailman-spamassassin/

That solves a different problem from the one we are having.
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Brian Curley
Doesn't the Fossil site already have a Capcha interface built into it that
could be adopted to enforce additional authentication around subscriptions?
Or a 2-step, email confirmation-type option, maybe? If they're robots
causing the problem, then they wouldn't be able to mive beyond the initial
attempt.

I signed up so long ago that I forget what the process involves.

Regards.

Brian P Curley


On Wed, Jun 13, 2018, 11:46 AM Richard Hipp <[hidden email]> wrote:

> On 6/13/18, Chris Brody <[hidden email]> wrote:
> > On Wed, Jun 13, 2018 at 10:44 AM jungle Boogie <[hidden email]>
> > wrote:
> >> [...]
> >> http://spamassassin.apache.org/
> >
> > Maybe just add SpamAssassin to the existing GNU MailMan setup?
> >
> > http://www.jamesh.id.au/articles/mailman-spamassassin/
>
> That solves a different problem from the one we are having.
> --
> D. Richard Hipp
> [hidden email]
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Richard Hipp-3
On 6/13/18, Brian Curley <[hidden email]> wrote:
> Doesn't the Fossil site already have a Capcha interface built into it that
> could be adopted to enforce additional authentication around subscriptions?

There are no captchas built into GNU MailMan.  You enter your email
address to subscribe and you get a confirmation email.  Click on a
link in the confirmation email.  Then your subscription goes to
moderation.  After the moderator approves, you are signed up.

The above system works fine to keep nefarious actors out of the subscriber list.

But that is not the problem.  The problem is that the bad guys don't
care about getting onto the subscriber list.  They just want to
generate as many bogus confirmation emails as they can, to harass the
people who are receiving the confirmation emails.

The obvious solution in GNU Mailman would be to only allow a single
confirmation email to go out per email address.  After that one email,
the corresponding email address is never allowed to sign up again.

This simple fix is complicated by several factors:

(1) Nobody seems to want to own the GNU MailMan software.  It is not
well maintained as far as I can see.

(2) MailMan does not seem to use a database other than the filesystem
and perhaps Python Pickle files, at least not that I have found, so
recording extra information such as who has previously requested a
subscription involves major structural changes to the code.

(3) MailMan itself seems to be a collection of scripts that must be
all installed in multiple well-known directories.  It is difficult to
identify what files are part of the MailMan implementation and what
files are not, making maintenance error-prone for people (like me) who
are unfamiliar with where to find all the pieces.

(4) There is a GNU MailMan mailing list, but in my past interactions,
there was nobody there who was willing to help with spam problems.
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

José María Mateos
On Wed, Jun 13, 2018 at 12:14:46PM -0400, Richard Hipp wrote:
> (1) Nobody seems to want to own the GNU MailMan software.  It is not
> well maintained as far as I can see.

I'm not an expert, but how does Sympa handle this? I remember a few
years ago a lot of people were moving their Mailman systems to Sympa. It
seems to be properly maintained too (latest release was April 19th).

Cheers,

--
José María (Chema) Mateos
https://rinzewind.org/blog-es || https://rinzewind.org/blog-en
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Michael Tiernan
In reply to this post by Richard Hipp-3
May I respectfully suggest to everyone that offering solutions, while
valuable and helpful, may not be as valuable as the offer of assistance
to our listmaster.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Richard Hipp-3
On 6/13/18, Michael Tiernan <[hidden email]> wrote:
> May I respectfully suggest to everyone that offering solutions, while
> valuable and helpful, may not be as valuable as the offer of assistance
> to our listmaster.

+1  :-)

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Luiz Américo
In reply to this post by Gary R. Schmidt
How about using https://www.discourse.org/ ?

Open source projects can use for free

Luiz

Em qua, 13 de jun de 2018 14:37, John Long <[hidden email]> escreveu:

> On Wed, 2018-06-13 at 21:42 +1000, Gary R. Schmidt wrote:
> >
> >
> > This is an increasing problem, and has been discussed on the Mailman
> > mailing list recently, you should join them and see what mitigation
> > strategies are available.
>
> Well I'm sure he would like to, but subscriptions have probably been
> suspended because of the attacks ;)
>
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Richard Hipp-3
Cross-posted to the fossil-users mailing list since www.fossil-scm.org
and www.sqlite.org are the same machine and both mailing lists are
impacted by the current problem.

On 6/13/18, Luiz Américo <[hidden email]> wrote:
> How about using https://www.discourse.org/ ?
>
> Open source projects can use for free

Thanks for the pointer, Luiz.

Discourse is moving the right direction, I think.  To install it, one
downloads a docker container and runs it on some Linux VM someplace.
(They recommend Digital Ocean, which is where I www3.sqlite.org is
hosted already.)  It's a self-contained package with minimal
dependencies that just works.  And it uses SQLite!  My kind of
software!

Here are my remaining points of heartburn with Discourse:

(1) The installation guide recommends using an external email service,
and they even recommend four appropriate services.  I clicked through
to each one, having never heard of any of them before.  All four are
pushing email marketing for companies sending 10 million or more
emails per month.  It seems to me that aggressive email marketing is
the root cause of my problem in the first place, so I am somewhat
reluctant to engage a marketing firm to help with the solution.
Fortunately, Discourse also allows one to use a self-hosting Postfix
installation, which is what we are currently running on sqlite.org.

(2) Discourse seems to want to run on a machine all by itself.  (It is
written in Rails and has its own webserver.)  I suppose I could spin
up yet another VM to do that.  But I learned this craft in an age
where machines were big and expensive and the goal was to cram as many
services as you could fit onto a single machine and IP address, and so
spinning up a separate machine with its own domain name just to manage
the mailing list seems wasteful, somehow.  And, that means there is
one more machine that I have to keep track of and manage and defend
from attacks, etc.

(Possible remedy to 2):  The main SQLite server (www.sqlite.org)
actually owns 3 IP addresses, only 2 of which are currently in use.  I
suppose I could run Discourse on that 3rd unused IP address.  But that
will end up being a non-standard setup....

(3) The installation guide says that Discourse takes between 2 and 8
minutes to boot up.  Seriously?

Even so, Discourse does seem like considering.  Does anybody else have
any experience with Discourse, good or bad?

Are there any volunteers willing to call me on skype and help set this up?

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Simon Slavin-3
In reply to this post by Simon Slavin-3


On 13 Jun 2018, at 3:02pm, Simon Slavin <[hidden email]> wrote:

> you might try the solution described in the lower part of
>
> <https://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html>
>
> and also the measure recommended here:
>
> <https://mail.python.org/pipermail/mailman-users/2015-May/079154.html>

Did you get a chance to try these ?  One is a one-line fix.  The other is adding a few lines.  They can both be done with a text editor and the pages tell you which files to edit.  If I understand the problem you reported they would both fix it.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Chris Brody
In reply to this post by Richard Hipp-3
On Wed, Jun 13, 2018 at 3:00 PM Richard Hipp <[hidden email]> wrote:
>
> Cross-posted to the fossil-users mailing list since www.fossil-scm.org

+1

> Even so, Discourse does seem like considering.  Does anybody else have
> any experience with Discourse, good or bad?

SQLCipher switched over to Discourse for the discussion forum at:
https://discuss.zetetic.net/c/sqlcipher

Seems to work pretty well for the user community. I really like having
a choice of social login, using Twitter myself.

I cannot argue with you about the "heartburn", looks like a bear to setup.

> Are there any volunteers willing to call me on skype and help set this up?

I have very limited experience with the software stack involved, would
be happy to teach myself in the process in case better qualified help
is not forthcoming.

On Wed, Jun 13, 2018 at 3:03 PM Simon Slavin <[hidden email]> wrote:
> [...]
> > <https://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html>
> > [...]
> > <https://mail.python.org/pipermail/mailman-users/2015-May/079154.html>
>
> Did you get a chance to try these ?

Both sound like nice short-term solutions, seem to admit that the bots
are bound to catch up someday:)
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Alessandro Marzocchi
Do you have control over postfix server? If so maybe adding a policy to the
account used for subscription confirmation may work. I dont have a PC
available at the moment but in the case i may check.

On Wed, Jun 13, 2018, 9:16 PM Chris Brody <[hidden email]> wrote:

> On Wed, Jun 13, 2018 at 3:00 PM Richard Hipp <[hidden email]> wrote:
> >
> > Cross-posted to the fossil-users mailing list since www.fossil-scm.org
>
> +1
>
> > Even so, Discourse does seem like considering.  Does anybody else have
> > any experience with Discourse, good or bad?
>
> SQLCipher switched over to Discourse for the discussion forum at:
> https://discuss.zetetic.net/c/sqlcipher
>
> Seems to work pretty well for the user community. I really like having
> a choice of social login, using Twitter myself.
>
> I cannot argue with you about the "heartburn", looks like a bear to setup.
>
> > Are there any volunteers willing to call me on skype and help set this
> up?
>
> I have very limited experience with the software stack involved, would
> be happy to teach myself in the process in case better qualified help
> is not forthcoming.
>
> On Wed, Jun 13, 2018 at 3:03 PM Simon Slavin <[hidden email]> wrote:
> > [...]
> > > <https://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html>
> > > [...]
> > > <https://mail.python.org/pipermail/mailman-users/2015-May/079154.html>
> >
> > Did you get a chance to try these ?
>
> Both sound like nice short-term solutions, seem to admit that the bots
> are bound to catch up someday:)
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Mailing list shutting down...

Richard Hipp-3
On 6/13/18, Alessandro Marzocchi <[hidden email]> wrote:
> Do you have control over postfix server? If so maybe adding a policy to the
> account used for subscription confirmation may work. I dont have a PC
> available at the moment but in the case i may check.

I don't see how that could possibly help.  Please enlighten me if I am
overlooking something.
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
12