[Mailman-Developers] [Greg Stark <gsstark@mit.edu>]
Re: Bounce removal parameters default values
Brad Knowles
brad.knowles at skynet.be
Thu Jun 17 16:37:21 EDT 2004
At 2:36 PM -0400 2004-06-17, Greg Stark wrote:
> Virus scans are only one type of bounce that could cause someone to be
> unsubscribed spuriously. For example, most mail servers have a
>maximum message
> size for example. Consider the security implications: all I have to
>do to mass
> unsubscribe many people--even everyone--on a list is send a message over 50k.
> Everyone using old versions of sendmail will be unsubscribed. A
>larger message
> will unsubscribe anyone using most modern MTAs. Nor do the tests that require
> multiple bounces protect anything; I just have to send my attack a few times
> quickly.
50k?!? Where are you getting this number? Maximum message size
on most MTAs is usually a default of something like 1-10MB, or even
unlimited. In more than ten years of specializing in running mail
systems, I don't think I have *once* seen an MTA that was default
configured to a maximum message size of just 50k.
> Really Mailman should simply not trust outside data for any
>purpose. It should
> treat the bounces received from mailing list messages purely as hints. It
> should then send its *own* message with content not subject to any control
> from outside to the user. Only if that known inoffensive message bounces
> should it consider removing the user.
>
> This is really a DOS security issue, though the worst case attack is
> unsubscribing many users of a list. That it gets triggered normally even when
> not specifically under attack only makes the problem apparent.
This is basically what Mailman is now doing. From the
Mailman-2.1.5/NEWS file:
- The bounce processor has been redesigned so that now when an address's
bounce score reaches the threshold, that address will be sent a probe
message. Only if the probe bounces will the address be disabled. The
score is reset to zero when the probe is sent. Also, bounce events are
now kept in an event file instead of in memory. This should help
contain the bloat of the BounceRunner.
New supporting variables in Defaults.py: VERP_PROBE_FORMAT,
VERP_PROBE_REGEXP
REGISTER_BOUNCES_EVERY is promoted to a Defaults.py variable.
--
Brad Knowles, <brad.knowles at skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the Mailman-Developers
mailing list