[Mailman-Users] ban member from joining not working

Rae rae at gitchee.com
Tue Nov 29 15:48:17 CET 2005 

At 10:19 AM 11/28/2005, Mark Sapiro wrote:
>The ban list will prevent subscribing a banned address directly, but I
>think there is a way around it. Namely, if addr1 is banned, a person
>who can receive confirmations sent to another address can subscribe
>that address and then change the subscription address to addr1. I
>haven't verified this, but I think it's true. If so, I think it's a
>bug.
>
>In your case, you can check Mailman's 'subscribe' log to see if the
>banned address actually subscribed, or possibly identify a different
>address that subscribed and was possibly later changed to the banned
>address. Unfortunately for this investigation, address changes aren't
>logged or reported.

The log indicates that the specific address was subscribed and 
confirmed through the web so that eliminates the "subscribe and 
change" possibility.

Nov 26 13:47:08 2005 (54395) mylist: new (digest) 
"archive at mail-archive.com" <The Mail Archive>, via web confirmation

I ran a test trying to subscribe an address that is listed in the ban 
list. From the listinfo page, the subscription request resulted in a 
statement that the address was banned. From the 
listname-subscribe at domain.com, the subscription request received a 
reply that the address was banned. So the ban is working. I now 
believe that the subscription was not done in a normal manner but may 
have been taking advantage of a hole in the program's operations. I'm 
checking other server logs to get to the bottom of it.

Sidenote: If you don't know who The Mail Archive is, you should take 
a minute to check it out. If you run any private lists, you 
definitely do NOT want that address subscribed to it. They operate a 
site for anyone to subscribe any list for public archiving without 
the listowner's approval.

>subscribe_policy = confirm only means the user has to confirm. It has
>nothing to do with banning per se.
>
>As far as prevention is concerned, be sure that admin_notify_mchanges
>is Yes so you will be notified of subscribes and unsubscribes (but not
>address changes), and consider setting subscribe_policy to 'Require
>approval' or 'Confirm and approve'.

Yes, I had that in effect at the time and saw the subscription right 
after it happened and was able to unsubscribe it. I have now also 
changed the subscribe_policy to Confirm and Approve. Not real happy 
with that but it seems that I am forced to do it under the circumstances.

Best wishes,
Rae

More information about the Mailman-Users mailing list