Andrea Veri: Adding reCAPTCHA support to Mailman

Planet Debian - sam, 03/05/2014 - 11:37

The GNOME and many other infrastructures have been recently attacked by an huge amount of subscription-based spam against their Mailman istances. What the attackers were doing was simply launching a GET call against a specific REST API URL passing all the parameters it needed for a subscription request (and confirmation) to be sent out. Understanding it becomes very easy when you look at the following example taken from our apache.log:

May 3 04:14:38 restaurant apache:, - - [03/May/2014:04:14:38 +0000] "GET /mailman/subscribe/banshee-list?email=example@me.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 403 313 "http://spam/index2.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"

As you can the see attackers were sending all the relevant details needed for the subscription to go forward (and specifically the full name, the email, the digest option and the password for the target list). At first we tried to either stop the spam by banning the subnets where the requests were coming from, then when it was obvious that more subnets were being used and manual intervention was needed we tried banning their User-Agents. Again no luck, the spammers were smart enough to change it every now and then making it to match an existing browser User-Agent. (with a good percentage to have a lot of false-positives)

Now you might be wondering why such an attack caused a lot of issues and pain, well, the attackers made use of addresses found around the web for their malicius subscription requests. That means we received a lot of emails from people that have never heard about the GNOME mailing lists but received around 10k subscription requests that were seemingly being sent by themselves.

It was obvious we needed to look at a backup solution and luckily someone on our support channel suggested the freedesktop.org sysadmins recently added CAPTCHAs support to Mailman.  I’m now sharing the patch and providing a few more details on how to properly set it up on either DEB or RPM based distributions. Credits for the patch should be given to Debian Developer Tollef Fog Heen, who has been so kind to share it with us.

Before patching your installation make sure to install the python-recaptcha package (tested on Debian with Mailman 2.1.15) on DEB based distributions and python-recaptcha-client on RPM based distributions. (I personally tested it against Mailman release 2.1.15, RHEL 6)

The Patch diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 4a54517..d6417ca 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -22,6 +22,7 @@ import os import cgi +import sys from Mailman import mm_cfg from Mailman import Utils @@ -30,6 +31,8 @@ from Mailman import Errors from Mailman import i18n from Mailman.htmlformat import * from Mailman.Logging.Syslog import syslog +sys.path.append("/usr/share/pyshared") +from recaptcha.client import captcha # Set up i18n _ = i18n._ @@ -200,6 +203,9 @@ def list_listinfo(mlist, lang): replacements[''] = mlist.FormatFormStart('listinfo') replacements[''] = mlist.FormatBox('fullname', size=30) + # Captcha + replacements[''] = captcha.displayhtml(mm_cfg.RECAPTCHA_PUBLIC_KEY, use_ssl=False) + # Do the expansion. doc.AddItem(mlist.ParseTags('listinfo.html', replacements, lang)) print doc.Format() diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index 7b0b0e4..c1c7b8c 100644 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -21,6 +21,8 @@ import sys import os import cgi import signal +sys.path.append("/usr/share/pyshared") +from recaptcha.client import captcha from Mailman import mm_cfg from Mailman import Utils @@ -132,6 +130,17 @@ def process_form(mlist, doc, cgidata, lang): remote = os.environ.get('REMOTE_HOST', os.environ.get('REMOTE_ADDR', 'unidentified origin')) + + # recaptcha + captcha_response = captcha.submit( + cgidata.getvalue('recaptcha_challenge_field', ""), + cgidata.getvalue('recaptcha_response_field', ""), + mm_cfg.RECPTCHA_PRIVATE_KEY, + remote, + ) + if not captcha_response.is_valid: + results.append(_('Invalid captcha')) + # Was an attempt made to subscribe the list to itself? if email == mlist.GetListEmail(): syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote)

Additional setup

Then on the /var/lib/mailman/templates/en/listinfo.html template (right below <mm-digest-question-end>)  add:

<tr> <td>Please fill out the following captcha</td> <td><mm-recaptcha-javascript></TD> </tr>

Make also sure to generate a public and private key at https://www.google.com/recaptcha and add the following paramaters on your mm_cfg.py file:


Loading reCAPTCHAs images from a trusted HTTPS source can be done by changing the following line:

replacements[''] = captcha.displayhtml(mm_cfg.RECAPTCHA_PUBLIC_KEY, use_ssl=False)


replacements[''] = captcha.displayhtml(mm_cfg.RECAPTCHA_PUBLIC_KEY, use_ssl=True)

EPEL 6 related details

A few additional details should be provided in case you are setting this up against a RHEL 6 host: (or any other machine using the EPEL 6 package python-recaptcha-client-1.0.5-3.1.el6)

Importing the recaptcha.client module will fail for some strange reason, importing it correctly can be done this way:

ln -s /usr/lib/python2.6/site-packages/recaptcha/client /usr/lib/mailman/pythonlib/recaptcha

and then fix the imports:

from recaptcha import captcha

That’s not all, the package still won’t work as expected given the API_SSL_SERVER, API_SERVER and VERIFY_SERVER variables on captcha.py are outdated (filed as bug #1093855), substitute them with the following ones:

API_SSL_SERVER="https://www.google.com/recaptcha/api" API_SERVER="http://www.google.com/recaptcha/api" VERIFY_SERVER="https://www.google.com/recaptcha/api/verify"

That should be all! Enjoy!

Catégories: Elsewhere

Russell Coker: Source Escrow for Proprietary Software

Planet Debian - sam, 03/05/2014 - 07:50

British taxpayers are paying for extra support for Windows XP due to a lack of planning by the UK government [1]. While the cost of this is trivial compared to other government stupidity (such as starting wars of aggression) this sort of thing should be stopped.

The best way to solve such problems is for governments to only use free software. If the UK government used Red Hat Enterprise Linux then when Red Hat dropped support for old versions they would have the option of providing their own support for old versions, hiring any other company to support old versions, or paying Red Hat for supporting it. In that case the Red Hat offer would probably be quite reasonable as competition drives the prices down.

It doesn’t seem likely that the UK government will start using only free software in the near future. It’s not impossible to do so, there are organisations dedicated to this task such as Free-gov.org which aims to develop e-government software that is under GPL licenses [2]. The Wikipedia page List of Linux Adopters [3] has a large section on government use, while not all entries are positive (some have reverted) it shows that it’s possible to use Linux for all areas of government. But governments often move slowly and in the case of wealthy countries such as the UK it can be easier to just tax the citizens a little more than to go to the effort of saving money.

But when governments use proprietary software they shouldn’t be restricted in support. It seems that the only way to ensure that the government can do what it needs is to have a source escrow system. Then if the company that owned the software ceased supporting it anyone who wanted to offer support would be able to do so. This would probably require that software which is out of support be released to the public domain so that anyone who wanted to tender for such support work could first inspect the code to determine if they were capable of doing the work.

People who believe the myths about secret source software claim that allowing the source code to be released would damage the company that owns it. This has been proved incorrect by the occasions when source code for software such as MS-Windows has been released on the Internet with no apparent harm. Also Microsoft have a long history of licensing their source code to universities, governments, and other companies for various purposes (including porting Windows to other CPUs). It’s most likely that some part of the UK government already has the full source code to Windows XP, and it’s also quite likely that computer criminals have obtained copies of the source by now for the purpose of exploiting security flaws. Also they stop supporting software when they can’t make money from providing the usual support, so by definition the value to a company of the copyright is approaching zero by the time they decide to cease support.

Given the lack of success experienced by companies that specialise in security (for example the attack on RSA to steal the SecurID data [4]) it doesn’t seem plausible that Microsoft has had much success in keeping the source to Windows XP (or any other widely used product) secret over the course of 12 years.

In summary source code to major proprietary software products is probably available to criminals long before support expires and is of little value to the copyright owners. But access to it can provide value to governments and other users of the software.

The only possible down-side to the software vendor is if the new version doesn’t provide any benefits to the user. This could be a problem for Microsoft who seem to have the users hate every second version of Windows enough to pay extra for the old version. The solution is to just develop quality software that satisfies the needs of the users. Providing a legal incentive for this would be a good idea.

Related posts:

  1. Some Proprietary Platform Issues Android vs iPad I’m currently in discussions with a client...
  2. source dump blog Inspired by Julien Goodwin‘s post I created a new blog...
  3. The Lenovo U1 Hybrid – an example of how Proprietary OSs Suck Lenovo have announced their innovative new U1 “Hybrid” laptop [1]....
Catégories: Elsewhere

Matthew Palmer: How *not* to do a redirect

Planet Debian - sam, 03/05/2014 - 07:00

This is the entireity of a (purportedly) HTML page I just got:

<script language="javascript"> window.location = "http://example.com/obscured/to/protect/the/guilty" </script>

To compound the pain, this didn’t come from a site run by people who wouldn’t be expected to know any better – it’s associated with a rather popular web-oriented test framework. So it should contain at least one person who might pipe up and say, “WTF, don’t do that!”.

I’m up to about 7 things that are wrong with this. Anyone want to weigh in with their own enumeration of why this is shockingly bad?

Catégories: Elsewhere

2bits: Presentation: Drupal Performance Tips and Tricks

Planet Drupal - sam, 03/05/2014 - 04:36
On Friday May 2nd, 2014, Khalid of 2bits.com, Inc. presented on Drupal Performance. The presentation covered important topics such as: Drupal misconception: Drupal is slow/resource hog/bloated Drupal misconception: Only Anonymous users benefit from caching in Drupal Drupal misconception: Subsecond response time in Drupal is impossible for logged in users Drupal misconception: Cloud hosting is more cost effective than dedicated servers The presentation slides are attached for those who may be interested ...

read more

Catégories: Elsewhere

Drupalize.Me: Let's Debug Twig in Drupal 8!

Planet Drupal - sam, 03/05/2014 - 01:58

When I am theming a Drupal site, I need to know which variables are available on a template file. In Drupal 8, the template engine is Twig, so we’re going to need to know a little bit of Twig to make this work. So, if Twig is totally new to you, don’t worry. Today, you’ll learn some Twig!

Catégories: Elsewhere

Steve Kemp: Cold lakes are cold.

Planet Debian - sam, 03/05/2014 - 01:45

Swimming in a Finnish lake, after some (naked) sauna-time with my new brother in-law (lanko):

(Did I mention that it was cold? So. Very. Cold.)

And that concludes my annual tour of Helsinki, and the very beautiful surrounding scenery, which is largely water-based.

Catégories: Elsewhere

Dimitri John Ledkov: X4D Icons released

Planet Debian - sam, 03/05/2014 - 01:38
I am releasing some icons under MIT license. They will be hosted at x4d.surgut.co.uk and available for development on GitHub.
I had to create my own icons, as I couldn't find icons of similar nature under a free license. Hopefully others will find these useful as well.

The icons below are all available in PNG, GIF, SVG and EPS. To link to a specific version directly, add .png, .gif, -v.svg or -v.eps to the generic URI (or browse the icons repository to see all versions).

Document type Light Dark HTML 2.0 HTML 3.2 HTML 4.0 HTML 4.01 XHTML 1.0 XHTML 1.1 XHTML Basic 1.0 XHTML-Print 1.0 CSS CSS 1 CSS 2 MathML 2.0 SVG 1.0 SVG 1.1 SVG 1.2 SVG Tiny 1.1 SVG Tiny 1.2 XML 1.0 XML 1.1
Catégories: Elsewhere

Drupal Association News: Whitney Hess to lead Drupal.org user research!

Planet Drupal - ven, 02/05/2014 - 22:01

Several weeks ago, we issued an RFQ for User Research as part of our Drupal.org revamp. We received a big number of exciting submissions, and the Drupal Association staff and Drupal.org Content Working Group members had a wonderful time reviewing responses and interviewing potential vendors.

Now, after several weeks of reading and careful debate, we’re thrilled to announce that we’ve selected a vendor for our user research: Whitney Hess!

Throughout the selection process, we were constantly impressed by her professionalism and enthusiasm for the project. We were impressed by Whitney’s experience coaching business leaders on how to more mindfully and compassionately design their products, their companies and themselves, and felt that her life’s mission to put humanity back into business aligns beautifully with the values of the Drupal Association and greater Drupal community. Her unique approach will help us build internal skills in the tech team, which we’ll be able to benefit from even after this project is over.

Congratulations, Whitney! We can’t wait to start working together to make Drupal.org even better for everyone who uses it.

Personal blog tags: user research
Catégories: Elsewhere


Subscribe to jfhovinne agrégateur - Elsewhere