On 8/7/21 4:55 AM, Stephen J. Turnbull wrote:
Guillermo Hernandez (Oldno7) via Mailman-users writes:
Yesterday I had a problem with a private list. A spammer sent a mail forging one address that was a non-member (in fact was an "accept this no subscriber mails" from mailman 2.1 import) with very bad intentions and it was distributed.
If you upgrade from Mailman 2 to Mailman 3, the accept_these_nonmembers list for each list is grandfathered into the Mailman 3 list (from rules/moderation.py):
# Check the '*_these_nonmembers' properties first. XXX These are # legacy attributes from MM2.1; their database type is 'pickle' and # they should eventually get replaced. for action_name in ('accept', 'hold', 'reject', 'discard'): legacy_attribute_name = '{}_these_nonmembers'.format( action_name)> There were no list of "accept this non members" in the Postorius
config
If there is no such list in Postorius, I would guess that some developer thought "OK, this is a legacy feature and I'll get back to it when we move it to the proper database" (unfortunate, but most of us have open-subscription member-posts-only lists, and the current workflow seems to work well, so this feature may not be so salient).
Moderation in MM 3 works as follows:
Is poster address a member. If so apply the member's moderation action, else
Does poster address appear or match a pattern in the legacy (accept|hold|reject|discard)_these_nonmembers (first match in that order). If so, apply the appropriate action, else
If the poster address is not a non-member, add it as a nonmember and apply the default nonmember moderation.
I think it is solved now (deleting all and putting to hold just the non-members addresses that I would want to pass messages on)
This should not be necessary, unless there were pre-approved addresses that are no longer appropriate. But Mailman can't know that!
The import21 process imports *_these_nonmembers by adding any regexps to the corresponding MM 3 *_these_nonmembers and adding any addresses as nonmembers with the appropriate moderation action.
The fact is that any sender address of mails sent to the list is saved as a "non member", and it make me nervous as it will grow despite it is a legitimate message or not.
This is the way MM 3 works. The only reason *_these_nonmembers exists in MM 3 is to support the legacy regexps from MM 2.1. For non-regexp addresses the address is a nonmember with the appropriate moderation action.
I actually find this convenient. When a nonmember posts spam to a list and that spam is held, I discard the spam in Postorius and at the same time set the nonmember's moderation action to discard so I never see any more from that address. Also, when someone who I recognize as a list member posts from an alternate nonmember address, I can accept that post and set the nonmember address moderation action to default processing.
As far as I can see there is no other rule except that legacy rule (and the rule that accepts all posts, which is rarely used) that will accept a post from nonmembers.
As I note above, nonmembers and members alike have a moderation action which can be any of Hold, Reject (with notice), Discard (no notice), Accept (without any further checks), Default Processing (continue with additioal checks) or the list's default action for (non)members.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan