[sf-lug] The problem I experienced recently XFwd: Fwd: Your confirmation is required to leave the test mailing list

Wed Jun 7 17:36:49 PDT 2023

On 5/31/23 23:33, Rick Moen wrote:
> Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> 
>> 	Well Rick Moen answered me when he found this email and
>> Rick Moen wants everyone to know that that the mail that appears
>> to be from the mailing list was forged by a bot and than there was
>> nothing wrong with any of the mailing lists.
> 
> Hi, Bobbie, what follows is just further clarification, not
> an objection.
> 
> The mail wasn't _forged_ by a bot.  It was _triggered_ by a bot that
> interacted with Mailman from the public Internet.
> 
> Imagine a software bot is exploring my Web pages, comes across
> http://linuxmafia.com/mailman/listinfo/test , the listinfo page for
> Test, and sees in its public archives the April 2020 test post from
> you and picks up the slightly "munged" (obscured) version of your
> mailing list in the archived post.  For some reason, the bot's author
> wants it to mess with people it guesses are mailing list members.
> 
> So, near the bottom of the page, under "To unsubscribe from test, get a
> password reminder, or change your subscription options either enter your
> subscription email address", it puts your e-mail address into the blank
> and presses "Unsubscribe or other options".  That takes it to
> http://linuxmafia.com/mailman/options/test .  In the middle of that page
> is the Unsubscribe dialogue:
> 
>    By clicking on the Unsubscribe button, a confirmation message will be
>    emailed to you. This message will have a link that you should click on
>    to complete the removal process (you can also confirm by email; see the
>    instructions in the confirmation message).
> 
> It presses the Unsubscribe button.  This causes Mailman to automatically
> send you a confirmation notice, coming from test-[$HASH]@linuxmafia.com,
> where $HASH is a long hexadecimal string for security protection.
> 
> You thus received that form message, asking you whether you can confirm
> that you really wish to unsubscribe.  Then, you receive 199+ more of
> those, because the bot is continuing to navigate the Web interface and
> push that button many times.
> 
> This is malign, obnoxious behaviour.  It is not being generated _by_
> Mailman.  It is generated by a malign software bot _via_ Mailman.
> 
> I won't say this sort of abuse is impossible to prevent, but it's
> certainly not easy.  Moreover, such abuse is normally seldom seen
> because it's fruitless unless the targeted subscriber confirms one of
> the requests.
> 
> I hope that clarifies.


	It is certainly a fuller explanation.
	Thank you for taking your time to more fully explain the situation.
	Have a good day Rick.

	Bobbie Sellers