2015-09-18

Note to mailing list admins: Large scale auto-subscribers as revenge seems to be happening.

[In case what I am outlining is a known thing and I just found out about it.. my apologies.. I have been thankfully away from this.]

A couple of days ago, a couple of the list admins on fedora lists were noticing an uptick in subscription attempts for an address @mms.att.com which is basically an email to MMS gateway. The reason they were seeing this was because the ATT was blocking and sending back a helpful email saying "This person does not accept unsolicited text emails." Doing some investigation it turns out that this person was actually one of 20 or so people who were getting attempts to auto-subscribe them to every Fedora list. For people at gmail.com and other email addresses they used the "filtering" technique of +@gmail.com so that each subscription looked unique to the mailing list software. Thankfully none of the lists allow for auto subscriptions or some people would have received 10,000 copies of every email. Still each attempt got them sent an email saying "Hey someone tried to subscribe you to XYZ list. Please click this link to confirm." They use some sort of botnet to distribute out the subscription attempts as over 8000 ips were used in 24 hours for 160,000 attempted subscriptions.

Doing a simple google search of a couple of the emails and looking at some of the posts related to them in Facebook and Twitter, the only common thread was that they had all gotten involved in messy breakups. So my weak conjecture is that someone has created a "Revenge Spam" site where you pay them, give them an email address and they sign that email address to every mailing list etc to make their lives miserable. This type of things isn't much different from the old "sign up my ex to Columbia House Tapes/Records/CD collection" and every magazine with a free insert for N magazines before being billed. It is a pain and petty.

In any case, if you run into this and are using mailman2, you can add filtering per list using the amazing Mark Shapiro's ban module which will allow for various regexp so that when they change from to or some similar tactic these attempts are silently dropped.

[Thanks to Kevin Fenzi for finding this link http://www.mail-archive.com/mailman-users@python.org/msg67312.html as google and I were having a disagreement on what I meant by filtering and this showed up on page 4 of my google search and page 1 of his.]

In any case, you should check the /var/log/mailman/subscribe for a large growth in subscription attempts of the same email address from multiple ips. I am going to see what we need to do to block this on the mailman3 side of things and will hopefully post a followup with that info.

[To the people who got a ton of email requests to subscribe to N mailing lists.. I apologize for not catching this earlier.]

2015-09-10

Where is my Fedora 15 (or how to deal with the disconnect between Fedora and your textbook).

The Problem

Every year, Fedora Infrastructure will get an influx of requests to admin@ or webmaster@ or some similar email address from someone who is looking for an old version of Fedora. Most of the time, we don't know why they are looking for this and ask them to use the recent version of Fedora instead of the one they asked for. The reason we do this is because those versions are old, insecure, and problems they run into will not be fixed or probably answered.

I have run into the problem myself this month as a class I am taking is using a Networking book that came out in 2013 and asks the students to use Fedora 15 (or later) to complete various examples. The "or later" sounds like it should cover the problems until I got into the actual examples and tools being used. The commands being referenced are the older network tools commands: ifconfig, netstat, route, etc. Those have been considered legacy for many years but are still the ones that a student will find in most textbooks and many online tutorials. The commands that replaced them ip and ss. [For more information the wikipedia article was good.] To add further injury to the student, the graphical commands all referenced no longer are bundled or look completely different from what the books reference.

The disconnect only gets greater as most of the textbooks do not get refreshed at a rate greater than once every 5 years. So the book which was written in 2011 (when Fedora 15 was being released) and didn't get finished through the editing system until 2013 (when Fedora 15 was end of lifed) will still be in use until 2018 to 2021 and what is Fedora 30+ will probably not look anything like the textbook or now.

Solutions for Students:

  1. Download Fedora 15 from the Fedora Archives. {1}{2}
  2. Use CentOS-6 for the problems in your text book. While CentOS-6 is based off of Fedora 12, the command line options are probably the same and the graphical utilities are also the same. The reason to use CentOS-6 is that it is supported til 2020 (which should match the lifetime of the textbook).
  3. If you do download and use a later version of Fedora, you can currently (as of Fedora 22/23) install the net-tools RPM which will give you access to the command line tools used in most of these textbooks. Do this with the following steps:
    1. Open a terminal window.
    2. sudo dnf install net-tools
    3. Follow the prompts and then use the commands as in the book.
  • {1} People ask if there are torrents for these older releases, but that relies on the idea that torrents are always faster. They are only 'faster' if you have many people sharing the copy and enough of them are close to you that getting little bits from them versus a further away mirror. In the case of old releases where there aren't many people in the torrent group.. it is much slower to use torrents.
  • {2} Use a live image and do not run this OS for long after use.

Solutions for Publishers

This one is probably going to get me in trouble, but if you are making a printed textbook do not use a short-lifed Linux OS like Fedora for the examples. For online coursework where you can update the examples and problems, Fedora will keep the students up to date but in printed form it quickly makes the textbook 'useless'. I am not even sure that an LTS from Ubuntu would live long enough for printed books. At the time the book was being written, Ubuntu 10.4  LTS would have been the one to make examples from. However it went End of Life earlier this year so a student would still be needing a version from the archives. The OS which seems to meet the lifetime of textbooks better is CentOS or Scientific Linux which matches the Red Hat Enterprise Linux lifetime.

Solutions for Fedora?

I am not sure what the solution for Fedora is. An LTS version would need to have an 7-10 year lifetime to match the publishing industries norms. It would be nice if we could work with publishers to have updated tutorials. They explain what things they are wanting in various textbooks and we put online and update things that meet those needs.  However, I don't see the will to do this because these textbooks are costing students $150+ and this is 'free' work from contributors without seeing that cost go down.