The mailing list for listmasters using Sympa

[Serge Aumont <address@concealed>]

Hi

On 02/02/10 16:36, Mark F. Heiman wrote:
> I wanted to share an incident we just had with spammers, just in case
> others may run into this same situation.
>
> It only applies if your Sympa install enables shared documents, allows
> anyone to register, and any registered user can request a new list. 
> We're running 5.4, but I don't think version 6 changes anything here.
>
> Here's what happens:
>
> -- The spammer registers on your site and requests a new list.
> -- At this point, even before the list is approved or rejected, the
> shared document repository is available. The spammer uses the
> repository to create a little web site of ads for their product, and
> makes it public.
> -- The spammer then sends out their spam by some other mechanism,
> directing people to the pages on your Sympa site.
> -- Rejecting the list request DOES NOT close the repository.  If you
> just reject the list, but don't purge it from the system, the spammer
> will keep right on using it.
>
> Obviously, there are a number of different ways to prevent this; we
> just changed the scenario on create_list to intranet.  But everyone
> should be aware that spammers are looking for Sympa sites that allow
> this behavior.  If you start getting random list requests from
> strangers, don't just reject them and forget about it.
>
> It probably makes sense to add some restrictions in the code, so that
> shared documents are only served if a list is open.

This problem is fixed for Sympa 6.1 (CVS trunk) . Now Sympa shared is
not available unless the list status is "open". You can catch this patch
wwsympa.fcgi.in  at
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6355&r2=6357
  
. Formerly you should also apply the following patch to
web_tt2/error.tt2 in order to send a correct error message to user 
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/web_tt2/error.tt2?root=sympa&r1=6099&r2=6357
.

Thank for reporting.
Serge Aumont