[Owasp-board] My input on our response to CH

Michael Coates michael.coates at owasp.org
Fri Sep 4 19:18:51 UTC 2015


Sure, but a short term solution to block spam could be to enable moderation of joins to the mailboat for non Owasp emails. A list admin could still manually allow particular subscriptions that are not spam. Or, all new subscriptions can have their first post moderated. If it's not spam then the mod flag is removed. 

If a list admin can put in just a bit of time here it does work out. 

Is there a particular list having trouble? I'm happy to work with them on the settings and strategy here. 





> On Sep 4, 2015, at 11:46 AM, Noreen Whysel <noreen.whysel at owasp.org> wrote:
> 
> The problem with requiring owasp.org emails is that the lists are supposed to be open, but not everyone affiliated with OWASP qualifies for an owasp.org email (leaders and paid members only).
> 
> Noreen Whysel
> Community Manager
> OWASP Foundation
> 
>> On Fri, Sep 4, 2015 at 2:18 PM, Michael Coates <michael.coates at owasp.org> wrote:
>> From a spam/bot blocking perspective
>> The easiest thing for us to do is to switch over to using @owasp.org email addresses. We can easily configure the mailist to require admin confirmation and auto reject non-owasp email addresses. 
>> 
>> If we don't want to do that it is also easy to require moderation for all subscriptions. A quick regex can stop obvious spam iteration.
>> 
>> It would be interesting to see if a CAPTCHA approach for mailman is possible. Yes, captcha can be defeated if someone tries hard enough, but if we cut out more of the junk then that is still a win.
>> 
>> 
>> --
>> Michael Coates | @_mwc
>> OWASP Global Board
>> Join me at AppSecUSA 2015 in San Francisco!
>> 
>> 
>> 
>> 
>>> On Fri, Sep 4, 2015 at 10:52 AM, Noreen Whysel <noreen.whysel at owasp.org> wrote:
>>> A few thoughts/questions:
>>> 
>>> Is it possible to map a Mailman subscription to an IP? If so we could block or moderate an ip.
>>> 
>>> Mailman allows you to globally remove your email from all lists in one click. Can the admin for the listserv do the same in one click for a subscriber?
>>> 
>>> Are there any other spam catcher program that can look for patterns in subscribe email accounts? Kate mentioned today that some lists are reporting excessive subscribe requests from random looking gmail accounts. Owasp-Manila has also been hit by random gmail sign ups.
>>> 
>>> Look at other services we use as well. Slack had someone playing with slackbot auto
>>> It's recently. Someone set Slackbot to trigger Johanna's survey every time a post included the words "and" or "the". Johanna also mentioned some strange slackbot emoji behavior. I didn't see any auto post rules set for emoji though.
>>> 
>>> There are dozens of potential services that someone with a grudge could disturb. Does it make sense to put out an alert to leaders to keep an eye out and report suspicious behavior?
>>> 
>>> Personally from a chapter development standpoint, my policy is to do a nominal background check on people requesting to start chapters, get Owasp.org emails or start a mailing list. This typically means reviewing their resume (required for starting a chapter), looking them up on linked in or google News search, checking on any previous Owasp involvement in the wiki or our member database, etc. as well as checking with leaders and past leaders of a chapter, do you know them, is this a good person. Similar for volunteers for event booths, university outreach, etc. This is especially important as chapter leaders ultimately get to handle money. I've had someone in Nigeria ask to restart chapters in Oregon and Canada, one of many examples.
>>> 
>>> I also encourage people to use their Owasp.org email to sign up for the wiki account, since that implies they a have already been vetted or at least paid a member fee to get gmail access. 
>>> 
>>> Is this sufficient?are there other ways to monitor activity without turning into cops or making people feel unfairly scrutinized?
>>> 
>>> Noreen Whysel
>>> Community Manager
>>> OWASP Foundation
>>> 
>>>> On Sep 4, 2015, at 11:45 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>> 
>>>> I'm just curious
>>>> 
>>>> How can OWASP avoid if he uses another email accounts/fake names addresses to gain access?
>>>> 
>>>> I think access to the wiki has to be very strong supervised including a background check of the person requesting access 
>>>> 
>>>> Any ideas or procedures that are already in place?
>>>> 
>>>> regards
>>>> 
>>>> Johanna
>>>> 
>>>>> On Fri, Sep 4, 2015 at 11:25 AM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>>>>> And the screenshot...
>>>>> 
>>>>> Rushing to get back to work doesn't actually buy you more time ; )
>>>>> 
>>>>> --
>>>>> -- Matt Tesauro
>>>>> OWASP WTE Project Lead
>>>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>> http://AppSecLive.org - Community and Download site
>>>>> OWASP OpenStack Security Project Lead
>>>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>> 
>>>>>> On Fri, Sep 4, 2015 at 10:24 AM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>>>>>> > I'm assuming wiki editing has been revoked?
>>>>>> 
>>>>>> Good point about the wiki - its actually designed to clean up bad/malicious edits so the damage potential is far less but I went ahead and blocked his user account.  See screenshot.
>>>>>> 
>>>>>> For the curious, his wiki contributions are at: https://www.owasp.org/index.php/Special:Contributions/Cmlh
>>>>>> 
>>>>>> -- Cheers
>>>>>> 
>>>>>> --
>>>>>> -- Matt Tesauro
>>>>>> OWASP WTE Project Lead
>>>>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>>> http://AppSecLive.org - Community and Download site
>>>>>> OWASP OpenStack Security Project Lead
>>>>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>>> 
>>>>>>> On Fri, Sep 4, 2015 at 10:07 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>>>>> Hi.
>>>>>>> 
>>>>>>> Wow.  I was slow to respond to this whole series of events because I didn't have prior direct exposure to this individual.  Lucky me.
>>>>>>> 
>>>>>>> First, I'm glad we (esp. Matt T.) have taken care of part of the problem through mechanics. Thanks all for dealing with that, especially Josh for invoking the bylaws to trigger the action.
>>>>>>> 
>>>>>>> Second, is there further action required with regard to CH?  I'm assuming we keep our eyes out for disruptive behavior for a bit and just catch it and take action quickly.  I'm assuming wiki editing has been revoked?
>>>>>>> 
>>>>>>> Third, are there other open issues (people) like this that we should deal with proactively?
>>>>>>> 
>>>>>>> Fourth, what can we do to handle this prior to the face to face meeting?  As painful as it is over email, I would really rather focus on positive and constructive things we can be doing (like proposals for wiki overhaul and investments in projects) than re-hashing blow by blow the words of people we don't want to be part of the community.  Is there a legitimate legal risk here?
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> Matt
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> 
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150904/a7a89597/attachment.html>


More information about the Owasp-board mailing list