Re: List Password Lost Request

From: "Justin J" <justin@PROTECTED>

In-Reply-To: Re: List Password Lost Request

Date: May 12th 2010

Justin, any thoughts about implementing a temporary lockout or at least an alert when a password is clearly trying to be hacked? The thought of someone succeeding in accessing a list is frightening

Well,

Let's see what the docs have:

http://dadamailproject
com/support/documentation-4_0_4/Config
pm
html#security

First off:

$SHOW_ADMIN_LINK

Quote: Set $SHOW_ADMIN_LINK to '0' to take off the 'Administration' link that you see on the Dada Mail default page

Yeah, let's def use that If you use an outside config file, use, "2", instead of 0 What else?

$ADMIN_FLAVOR_NAME

Quote:

Complementary to the $SHOW_ADMIN_LINK variable, $ADMIN_FLAVOR_NAME allows you to set the URL needed to access the screen 
that has the form to log into all the lists administrated by Dada Mail and to the form to create a new list

That's sounds pretty useful too I use both myself If you look at:

http://dadamailproject
com/cgi-bin/dada/mail
cgi

You'll notice there isn't an administration link, and just going to the default one:

http://dadamailproject
com/cgi-bin/dada/mail
cgi/admin

Doesn't work (you just go to the default screen)

That seems like we're doing some good - but couldn't some one just make a query string, with the correct variables? Something like,

http://dadamailproject
com/cgi-bin/dada/mail
cgi?f=login&process=true&admin_list=dada_announce&admin_password=secret

I mean, what's the point of hiding the form, if you can just bypass the form?

If you try the above, it doesn't work, because:

$DISABLE_OUTSIDE_LOGINS

If set to, 1, The only forms that will allow you to log into a Dada Mail list will be by a form supplied by Dada Mail itself
 
This means, you can't create a different form, outside the program to provide a way to login


More so than any other option, this variable attempts to stop attempts of logging into a list by automated means

So, contrary to what I think John says is happening, someone (or something - a 'bot? is this a similar problem we had with bots following links in archived messages?) is just trying to login by guessing the password, it's not working and they click the button to get it reset

If you use set the three variables above, that above scenario will quickly dissipate

‹ Re: List Password Lost Request

Index

Re: List Password Lost Request ›

Email Address

You're OK with using your email address as your primary contact for this email discussion list; messages will be sent on your behalf

Unsubscribe at Anytime | Privacy Policy

This mailing list is a public mailing list - anyone may join or leave, at any time.
This mailing list is a group discussion list (unmoderated)
Start a new thread, email: dadadev@dadamailproject.com

This is the developer discussion mailing list for Dada Mail.

If you are just looking for support Dada Mail, consult the message boards at:

https://forum.dadamailproject.com

Documentation for Dada Mail:

https://dadamailproject.com/d

Specifically, see the Error FAQ:

https://dadamailproject.com/d/FAQ-errors.pod.html

To post to this list, send a message to:

mailto:dadadev@dadamailproject.com

All subscribers of this list may post to the list itself.

Topics that are welcome:

Constructive critiques on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
Bug/Error reports
Bug fixes
Request For Comments on any changes to the program
Help customizing Dada Mail for your own needs
Patches
Language Translations
Support Documentation/Doc editing, FAQ's, etc.
Discussion of any changes that you would like to be committed to the next version of Dada Mail -

Dada Mail is on Github:

https://github.com/justingit/dada-mail/

If you would like to fork, branch, send over PRs, open up issues, etc.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.