FAQ
I've just moved a discussion group from majordomo to Mailman and posted the
first message to the group. So far, I've had one autoresponder message sent
back. Thankfully, from what I can see, it only came to me and not to the
list address, so hasn't started to loop.



But I've a problem over preserving members' privacy. The list of subscribers
isn't available to other list members. So unless someone posts a message in
the discussion, when their email address will show up in headers, I'm the
only person who knows who's registered. And some people will be concerned
that stays the case.



But the autoresponder message came from someone using their work email so it
includes their name, job and contact details. It doesn't matter this time,
as it came to me. But as soon as someone else posts to the group, I assume
they'll get the same out of office message.



I can warn everyone about this and suggest that, if they don't want their
details revealed, they only use an address that they won't set out of
office. But is there anything else I can do? Privacy is important in our
group so I would like to do what I can, rather than leaving it people who
didn't realise about this vulnerable. Meantime, I may unsubscribe this
person so no-one else gets her out of office message.



Not a problem with a loop, thankfully. (Yet? Maybe I'd better put some
filters in pronto!)



I'd be grateful for advice.



Thanks

Clare

Search Discussions

  • Mark Sapiro at Apr 5, 2011 at 9:27 pm

    Clare Redstone wrote:
    I've just moved a discussion group from majordomo to Mailman and posted the
    first message to the group. So far, I've had one autoresponder message sent
    back. Thankfully, from what I can see, it only came to me and not to the
    list address, so hasn't started to loop.

    Any autoresponder that responds to a list post is by definition broken.
    List posts are sent with "Precedence: list" and autoresponders aren't
    supposed to respond to such messages. Also, autoresponders shouldn't
    respond to the same address more than once within some period like a
    day or a week. Finally, an autoresponder should reply to the From: or
    Reply-To: address (although some badly broken autoresponders may
    respond to the Sender: or the envelope sender). Thus, if your list
    doesn't mung Reply-To:, no autoresponder should ever respond to the
    list posting address.

    Note that parts of the above apply only to individual posts. For
    digests, the From: is the LIST-request address, so if a broken
    autoresponder responds to a digest, the response will probably go to
    the -request address possibly generating a "results of your email
    commands" message from Mailman, but not if the autoresponse is
    Precedence: bulk, junk or list as it should be. In those cases, it
    will be discarded.


    But I've a problem over preserving members' privacy. The list of subscribers
    isn't available to other list members. So unless someone posts a message in
    the discussion, when their email address will show up in headers, I'm the
    only person who knows who's registered. And some people will be concerned
    that stays the case.

    OK

    But the autoresponder message came from someone using their work email so it
    includes their name, job and contact details. It doesn't matter this time,
    as it came to me. But as soon as someone else posts to the group, I assume
    they'll get the same out of office message.

    That's probably true, but if list lurkers choose to use broken
    autoresponders that may reveal their address to a list poster and are
    upset about that, that's really their problem. What do they do about
    all the spam they autorespond to? Do they care about that?

    I can warn everyone about this and suggest that, if they don't want their
    details revealed, they only use an address that they won't set out of
    office. But is there anything else I can do? Privacy is important in our
    group so I would like to do what I can, rather than leaving it people who
    didn't realise about this vulnerable. Meantime, I may unsubscribe this
    person so no-one else gets her out of office message.

    I appreciate your desire to protect your user's privacy, but I think
    there's little beyond a warning that you can do. Rather than
    unsubscribing the user, you could just set him/her to no mail. You
    could also suggest to people that are concerned that they could set
    themselves to no mail

    Not a problem with a loop, thankfully. (Yet? Maybe I'd better put some
    filters in pronto!)

    As I indicate above, a mail loop is very unlikely if you don't mung
    Reply-To:. Yes, there could be some brain dead autoresponders out
    there that respond to Precedence: list messages send the autoresponse
    to the To: address (or Reply-To: if you mung it), and send multiple
    responses to the same address, but I think this is rare.

    That's not to say that you shouldn't try to filter, but it's not easy.

    You could set all members moderated and new members moderated by
    default and then clear each poster's moderate bit as they post.
    Clearing the moderate bit is just a checkbox in the admindb interface
    when approving the post. That way, a lurker's autoresponse could never
    make it to the full list.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Clare Redstone at Apr 6, 2011 at 7:24 am
    Dear Mark,

    Thank you for replying so quickly. I don't understand some of the technical
    stuff to understand why
    the autoresponder message came to me not the group. But am glad it did!
    Because we're a discussion group, I have MM set up for reply to the list.
    But haven't set any of the mung options, or we wouldn't know who messages
    are from. We have quite a few people with the same forename so it gets
    confusing.
    That's probably true, but if list lurkers choose to use broken
    autoresponders that may reveal their address to a list poster and are
    upset about that, that's really their problem. What do they do about
    all the spam they autorespond to? Do they care about that?
    I don't think most people know that autoresponders can be broken. I didn't
    until I started running the list and began reading majordomo and mailman
    users group. And it probably doesn't cross their minds that the
    autoresponder is replying to spam. Maybe because work email systems seem to
    trawl out so much spam. In any case, there's nothing they can do about that
    apart from telling their IT dept when becoming aware of it. At work, you
    have to have an out of office message when you're away.

    I will suggest this person tells her IT dept.
    Rather than
    unsubscribing the user, you could just set him/her to no mail
    Duh! Silly me. Having only just moved from majordomo, which didn't have the
    no mail option, to Mailman, I completely forgot I could do this. Despite
    having spent time writing a FAQ for the members which included it. Thanks
    for the suggestion.
    You could set all members moderated and new members moderated by
    default and then clear each poster's moderate bit as they post.
    Clearing the moderate bit is just a checkbox in the admindb interface
    when approving the post. That way, a lurker's autoresponse could never
    make it to the full list.
    Thanks for this suggestion. Yes, that would solve it for people who never
    post. There'd still be the possibility of someone posting a message so
    coming off moderation, then later setting their autoresponder. But I'm
    reassured that you say loops are rare.

    Thanks for your help.
    Clare

    -----Original Message-----
    From: Mark Sapiro [mailto:mark at msapiro.net]
    Sent: 05 April 2011 22:28
    To: Clare Redstone; mailman-users at python.org
    Subject: Re: [Mailman-Users] Autoresponder and privacy

    Clare Redstone wrote:
    I've just moved a discussion group from majordomo to Mailman and posted the
    first message to the group. So far, I've had one autoresponder message sent
    back. Thankfully, from what I can see, it only came to me and not to the
    list address, so hasn't started to loop.

    Any autoresponder that responds to a list post is by definition broken.
    List posts are sent with "Precedence: list" and autoresponders aren't
    supposed to respond to such messages. Also, autoresponders shouldn't
    respond to the same address more than once within some period like a
    day or a week. Finally, an autoresponder should reply to the From: or
    Reply-To: address (although some badly broken autoresponders may
    respond to the Sender: or the envelope sender). Thus, if your list
    doesn't mung Reply-To:, no autoresponder should ever respond to the
    list posting address.

    Note that parts of the above apply only to individual posts. For
    digests, the From: is the LIST-request address, so if a broken
    autoresponder responds to a digest, the response will probably go to
    the -request address possibly generating a "results of your email
    commands" message from Mailman, but not if the autoresponse is
    Precedence: bulk, junk or list as it should be. In those cases, it
    will be discarded.


    But I've a problem over preserving members' privacy. The list of
    subscribers
    isn't available to other list members. So unless someone posts a message in
    the discussion, when their email address will show up in headers, I'm the
    only person who knows who's registered. And some people will be concerned
    that stays the case.

    OK

    But the autoresponder message came from someone using their work email so it
    includes their name, job and contact details. It doesn't matter this time,
    as it came to me. But as soon as someone else posts to the group, I assume
    they'll get the same out of office message.

    That's probably true, but if list lurkers choose to use broken
    autoresponders that may reveal their address to a list poster and are
    upset about that, that's really their problem. What do they do about
    all the spam they autorespond to? Do they care about that?

    I can warn everyone about this and suggest that, if they don't want their
    details revealed, they only use an address that they won't set out of
    office. But is there anything else I can do? Privacy is important in our
    group so I would like to do what I can, rather than leaving it people who
    didn't realise about this vulnerable. Meantime, I may unsubscribe this
    person so no-one else gets her out of office message.

    I appreciate your desire to protect your user's privacy, but I think
    there's little beyond a warning that you can do. Rather than
    unsubscribing the user, you could just set him/her to no mail. You
    could also suggest to people that are concerned that they could set
    themselves to no mail

    Not a problem with a loop, thankfully. (Yet? Maybe I'd better put some
    filters in pronto!)

    As I indicate above, a mail loop is very unlikely if you don't mung
    Reply-To:. Yes, there could be some brain dead autoresponders out
    there that respond to Precedence: list messages send the autoresponse
    to the To: address (or Reply-To: if you mung it), and send multiple
    responses to the same address, but I think this is rare.

    That's not to say that you shouldn't try to filter, but it's not easy.

    You could set all members moderated and new members moderated by
    default and then clear each poster's moderate bit as they post.
    Clearing the moderate bit is just a checkbox in the admindb interface
    when approving the post. That way, a lurker's autoresponse could never
    make it to the full list.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Bernd Petrovitsch at Apr 6, 2011 at 9:07 am
    Hi!

    On Mit, 2011-04-06 at 08:24 +0100, Clare Redstone wrote:
    [...]
    Thank you for replying so quickly. I don't understand some of the technical
    stuff to understand why
    the autoresponder message came to me not the group. But am glad it did!
    The mail headers are set up so that these type of mails do not go on the
    mailing list. E.g. consider the case that an email address vanishes and
    is still subscribed. You don't want the bounce on the ML too.
    Because we're a discussion group, I have MM set up for reply to the list.
    That's an entirely different discussion but the standard answer is:
    please read
    http://marc.merlins.org/netrants/reply-to-harmful.html,
    http://www.metasystema.net/essays/reply-to.html and
    http://woozle.org/~neale/papers/reply-to-still-harmful.html and think
    about it.

    [...]
    That's probably true, but if list lurkers choose to use broken
    autoresponders that may reveal their address to a list poster and are
    If I really want only to lurk, I wouldn't use an autoresponder at
    all ...
    upset about that, that's really their problem. What do they do about
    all the spam they autorespond to? Do they care about that?
    I don't think most people know that autoresponders can be broken. I didn't
    Unfortunately many people at MSFT also do not know it - the one from
    MS-Outlook, MS-OE or Exchange - or wherever that is from - is seriously
    broken (as in replying to "Precedence: List" Mails and especially
    replying to the very same address each time, possibly multiple times a
    day. For me, that is just another class of spam. Greetings to my
    Bayes-DB ....).
    until I started running the list and began reading majordomo and mailman
    users group. And it probably doesn't cross their minds that the
    autoresponder is replying to spam. Maybe because work email systems seem to
    trawl out so much spam. In any case, there's nothing they can do about that
    They probably do not get much spam - especially if they primarily lurk
    on the public internet and have somewhat sane spam-filters (read: sane
    postmasters) at work.
    apart from telling their IT dept when becoming aware of it. At work, you
    have to have an out of office message when you're away.

    I will suggest this person tells her IT dept.
    Good luck. The standard answer is that it can't be changed within the
    classical MSFT mail infrastructure (except not using the autoresponder.
    Actually I do not know why it is important to people to let everyone
    know, that you are 2 days out of office. If it's not that urgent, it can
    wait anyways. If it is that urgent, I should - or more must - have done
    something before to handle these urgent cases.).

    [ Full quote deleted. ]

    Bernd
    --
    Bernd Petrovitsch Email : bernd at petrovitsch.priv.at
    LUGA : http://www.luga.at
  • Mark Sapiro at Apr 6, 2011 at 3:50 pm

    Clare Redstone wrote:
    Thank you for replying so quickly. I don't understand some of the technical
    stuff to understand why
    the autoresponder message came to me not the group. But am glad it did!
    Because we're a discussion group, I have MM set up for reply to the list.

    Since autoresponders that reply to list mail are broken by definition,
    it is not possible to say for sure to what addresses they might
    respond, but if we assume that the autoresponder won't reply to a To:
    or Cc: address, the only other 'routing' headers in which the list
    posting address appears are:

    the From: header if the list is anonymous, and

    the Reply-To: header if the original poster has set it to the list or
    if the list is set to "reply to list" (this is what I ment by munging
    the Reply-To:)

    Since your list is "reply to list" I'm a little surprised that the
    autoresponse went to From: and not Reply-To:, but as I said, if
    something is broken, we can't know all the ways in which it might be
    broken.

    But haven't set any of the mung options, or we wouldn't know who messages
    are from. We have quite a few people with the same forename so it gets
    confusing.

    Well, you are munging the Reply-To: in the sense that I meant.


    [...]
    You could set all members moderated and new members moderated by
    default and then clear each poster's moderate bit as they post.
    Clearing the moderate bit is just a checkbox in the admindb interface
    when approving the post. That way, a lurker's autoresponse could never
    make it to the full list.
    Thanks for this suggestion. Yes, that would solve it for people who never
    post. There'd still be the possibility of someone posting a message so
    coming off moderation, then later setting their autoresponder. But I'm
    reassured that you say loops are rare.

    What you say is true as far as looping is concerned, but for the
    privacy aspect, the person would have already posted at some point and
    revealed their posting address in that way, so privacy should be less
    of a concern for that person.

    As far as loops are concerned, we can certainly envision scenarios in
    which this can happen, but I can't recall a report of any. There are
    threads in the archives of this list about filtering such messages,
    but not any of loops as I recall.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Stephen J. Turnbull at Apr 6, 2011 at 12:09 am
    Clare Redstone writes:
    I can warn everyone about this and suggest that, if they don't want
    their details revealed, they only use an address that they won't
    set out of office.
    As Mark said, this is in some sense the best you can do. It's not
    really possible to filter on "contact details", although "phone
    number" could be done (assuming you know that you have a certain
    country's phone number, and that country isn't Japan, which has almost
    as many phone number formats as it does phones). But you'd need to
    moderate and edit the messages by hand; automatically removing contact
    details is beyond the state of the art at the moment.
    But is there anything else I can do? Privacy is important in our
    group so I would like to do what I can,
    Note that in U.S. law in some jurisdictions, you may be liable for
    damages if you make an attempt to protect a person and fail[1], while
    no liability is incurred if you do nothing. Sad but true. Talk to
    your lawyer.

    That said, you can filter out signatures. There's a standard "in
    message" format, which assumes that everything following a line
    containing *exactly* two hyphens followed by a space, no more and no
    less, is a signature. The details of actually removing the signature
    are somewhat messy (everything in mail is between somewhat messy and
    "after the bomb hit"), and many people (and the occasional
    "professional" program) set up the signature wrong, so it's
    smart-people-proof, but fool-weak. There are other standard ways to
    set up a signature, too, and you could filter those out as well.

    However, automatically editing messages is almost certain to result in
    lost information at some point, and there is no way to guarantee
    you'll catch all inadvertant revelations.
    Meantime, I may unsubscribe this person so no-one else gets her out
    of office message.
    Set such subscribers to no-mail, instead. Then they don't lose any
    personal settings and can turn the list back on for themselves when
    they return. If there are private archives, they can continue to
    access those.

    Note that Mailman private archives are not terribly secure by default;
    you might not want to allow access even with in the privacy setting.


    Footnotes:
    [1] It used to be said that in New York City you could tell the
    lawyers' houses in winter time because they didn't shovel snow off
    their sidewalks. A shoveled walk is more likely to be icy and slick.
  • Clare Redstone at Apr 6, 2011 at 7:31 am
    Dear Stephen,

    Thank you for your prompt help.

    If I've understood you right, it's going to be difficult for me to do
    anything beyond warn people. Apart from moderate all messages, which would
    be OK a lot of the time but sometimes we have very talkative days and of
    course sometimes I'm away. I'm in the UK and don't know what the legal
    situation is about trying and failing.
    Note that Mailman private archives are not terribly secure by default;
    you might not want to allow access even with in the privacy setting.
    How insecure? Are they more vulnerable than a members-only Yahoo or Google
    group for example? Are they protected from search engines? Would someone
    have to make a deliberate effort to hack in to read the archive or could
    someone come across it by accident, say through a search engine?

    I think if it would take someone with some technical knowledge, deliberately
    looking for it to get in, that would be safe enough. I will add a warning to
    the FAQ that someone could deliberately hack in and bring it to their
    attention. One thing I'm suggesting is that people could set up and email
    account with a nickname so they wouldn't so easily be identified.

    Thanks.
    Clare

    -----Original Message-----
    From: Stephen J. Turnbull [mailto:stephen at xemacs.org]
    Sent: 06 April 2011 01:10
    To: Clare Redstone
    Cc: mailman-users at python.org
    Subject: [Mailman-Users] Autoresponder and privacy

    Clare Redstone writes:
    I can warn everyone about this and suggest that, if they don't want
    their details revealed, they only use an address that they won't
    set out of office.
    As Mark said, this is in some sense the best you can do. It's not
    really possible to filter on "contact details", although "phone
    number" could be done (assuming you know that you have a certain
    country's phone number, and that country isn't Japan, which has almost
    as many phone number formats as it does phones). But you'd need to
    moderate and edit the messages by hand; automatically removing contact
    details is beyond the state of the art at the moment.
    But is there anything else I can do? Privacy is important in our
    group so I would like to do what I can,
    Note that in U.S. law in some jurisdictions, you may be liable for
    damages if you make an attempt to protect a person and fail[1], while
    no liability is incurred if you do nothing. Sad but true. Talk to
    your lawyer.

    That said, you can filter out signatures. There's a standard "in
    message" format, which assumes that everything following a line
    containing *exactly* two hyphens followed by a space, no more and no
    less, is a signature. The details of actually removing the signature
    are somewhat messy (everything in mail is between somewhat messy and
    "after the bomb hit"), and many people (and the occasional
    "professional" program) set up the signature wrong, so it's
    smart-people-proof, but fool-weak. There are other standard ways to
    set up a signature, too, and you could filter those out as well.

    However, automatically editing messages is almost certain to result in
    lost information at some point, and there is no way to guarantee
    you'll catch all inadvertant revelations.
    Meantime, I may unsubscribe this person so no-one else gets her out
    of office message.
    Set such subscribers to no-mail, instead. Then they don't lose any
    personal settings and can turn the list back on for themselves when
    they return. If there are private archives, they can continue to
    access those.

    Note that Mailman private archives are not terribly secure by default;
    you might not want to allow access even with in the privacy setting.


    Footnotes:
    [1] It used to be said that in New York City you could tell the
    lawyers' houses in winter time because they didn't shovel snow off
    their sidewalks. A shoveled walk is more likely to be icy and slick.
  • Stephen J. Turnbull at Apr 6, 2011 at 8:29 am
    Clare Redstone writes:
    How insecure? Are they more vulnerable than a members-only Yahoo or Google
    group for example?
    Probably a little more vulnerable, for social reasons. Your members-
    only password at Yahoo/Google is your personal mail password; people
    probably protect those fairly well (although often enough dinner
    guests can read them off the post-in on the monitory in the corner ;-).
    Mailman subscription passwords tend to be easier to guess.
    Are they protected from search engines? Yes.
    Would someone have to make a deliberate effort to hack in to read
    the archive Yes.
    or could someone come across it by accident, say through a search
    engine? No.
    I think if it would take someone with some technical knowledge,
    deliberately looking for it to get in, that would be safe enough.
    Stealing a password doesn't take technical knowledge, but it clearly
    takes evil intent.
    One thing I'm suggesting is that people could set up and email
    account with a nickname so they wouldn't so easily be identified.
    This is a good idea any time you want to preserve a modicum of privacy
    on the 'net.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedApr 5, '11 at 8:30p
activeApr 6, '11 at 3:50p
posts8
users4
websitelist.org

People

Translate

site design / logo © 2022 Grokbase