[sf-lug] The problem I experienced recently XFwd: Fwd: Your confirmation is required to leave the test mailing list
Rick Moen
rick at linuxmafia.com
Wed May 31 23:33:25 PDT 2023
Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> Well Rick Moen answered me when he found this email and
> Rick Moen wants everyone to know that that the mail that appears
> to be from the mailing list was forged by a bot and than there was
> nothing wrong with any of the mailing lists.
Hi, Bobbie, what follows is just further clarification, not
an objection.
The mail wasn't _forged_ by a bot. It was _triggered_ by a bot that
interacted with Mailman from the public Internet.
Imagine a software bot is exploring my Web pages, comes across
http://linuxmafia.com/mailman/listinfo/test , the listinfo page for
Test, and sees in its public archives the April 2020 test post from
you and picks up the slightly "munged" (obscured) version of your
mailing list in the archived post. For some reason, the bot's author
wants it to mess with people it guesses are mailing list members.
So, near the bottom of the page, under "To unsubscribe from test, get a
password reminder, or change your subscription options either enter your
subscription email address", it puts your e-mail address into the blank
and presses "Unsubscribe or other options". That takes it to
http://linuxmafia.com/mailman/options/test . In the middle of that page
is the Unsubscribe dialogue:
By clicking on the Unsubscribe button, a confirmation message will be
emailed to you. This message will have a link that you should click on
to complete the removal process (you can also confirm by email; see the
instructions in the confirmation message).
It presses the Unsubscribe button. This causes Mailman to automatically
send you a confirmation notice, coming from test-[$HASH]@linuxmafia.com,
where $HASH is a long hexadecimal string for security protection.
You thus received that form message, asking you whether you can confirm
that you really wish to unsubscribe. Then, you receive 199+ more of
those, because the bot is continuing to navigate the Web interface and
push that button many times.
This is malign, obnoxious behaviour. It is not being generated _by_
Mailman. It is generated by a malign software bot _via_ Mailman.
I won't say this sort of abuse is impossible to prevent, but it's
certainly not easy. Moreover, such abuse is normally seldom seen
because it's fruitless unless the targeted subscriber confirms one of
the requests.
I hope that clarifies.
More information about the sf-lug
mailing list