[Owasp-leaders] ABORT the OWASP Email Lists

Matt Tesauro matt.tesauro at owasp.org
Sun Jun 10 20:39:18 UTC 2012

Answers inline:

On Thu, Jun 7, 2012 at 1:37 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Matt, its great that you are trying to solve this, but this just shows the
> need that we have to have dedicated (even part-time) professional
> network/application support for OWASP.

I am working on solving this (with the help of other volunteers) because
when we started to have SPAM issues, no one else stepped up.

Recently, I've had family medical issues and am right in the middle of
moving my family, selling and buying homes and backing all our belongings.
 Achim was kind enough to setup and offer to help with Mailman.  Since the
changes he made last week, we have not had ANY MAIL SPOOLING on Barracuda
since ~ Wednesday afternoon GMT -6.  He and I are in the middle of solving
a second issue with out broken Mailman migration.  Give props to Alchim and
David from the leaders lists who stepped up and provided advice and time on
the box to get mail flowing regularly without spooling.

I fully agree we need to hire some one to help on OWASP's
IT infrastructure.  The long list of IT "things" including Tom's wiki page
and my gap analysis [1] for the last board meeting.  I should also not that
we are in the process of moving our Rackspace hosts from public cloud to
managed cloud were Rackspace will own a large portion of the maintenance
and upkeep of those hosts.  After the move to managed cloud hosts, what
else needs to be done?  Besides "do IT things" what is this IT person going
to do?  Do we have a definitive list?  With SLA's? A job description?  A
method to tell if OWASP is getting results from the person we hire?  Having
been a Linux Admin in the past "Manage our IT" is a bit vague.  If Kate's
scanner acts up, is that in scope?  Without knowing the exact problem we're
trying to solve, we are doing OWASP and whomever we hire a disservice.
 Anyone is welcome to take Tom's wiki page and my gap analysis and come up
with a job description. I suggest as much at the last board meeting but do
not have the time until after I finish moving.


BTW, if you want to add to that Google doc, I know all @owasp.org people
have access - even to edit if I recall correctly.  If not, let me know and
I'll provide edit access to whomever.

> Like Jim mentioned, the Mailing list are a real problem since these issues
> have dramatically affected the usability of one of the most solid and
> useful OWASP community resources we have (and in the projects I'm involved
> , there is a direct negative impact due to this)
Agreed.  ~500+ on the leaders list and 22K+ on OWASP all.  1 to 2 million
emails per month.  Approximately 86% of all incoming mail is SPAM blocked
by Barracuda.  303,216 emails in June already.

Dinis, have you turned bounce notification off for your lists?  Or read the
Mailman list admin docs to see if you could do something to make life
better for the lists you run?  We're all volunteers here so maybe the cost
of being part of this community is a bit of list admin work from time to
time?  If you don't have time, that's fine but understand then that things
won't change as fast as you like if you're a passive participant.

> On that topic, there was a note last month that we had hired such
> resource. Has it happend? if so who it is? And if not, we need to put some
> urgency in this hire, since we need help!
Tom knew someone who has a great deal of FreeBSD experiences and said he
was willing to help.  I gave him access to the Mailman server and he may
have logged in once after the initial verification of his access but no
changes were made.  Also, there was the issue of no job description and
therefore no real means to see if (1) we were paying adequately and (2) if
they were doing what we asked.

> For example, when we say *'lets move from Mailman to Google Groups',* who
> is going to do it? Are we really expecting all our project/chapter leaders
> to do it?
We're all volunteers.  Especially for those that want to experiment, I
think they need to bear the burden of that migration.  Considering the last
migration of Mailman (which was done by a PAID party) has been a total
mess, I think a second mass migration to something different is both
foolish and likely to suck up more community time then just fixing Mailman.

> Btw, these problems just show how great of a job Larry did during all
> those years he managed the OWASP Mailing lists (amongst other things).
Larry was the paid party who did the migration from Aspect's server to the
current servers.  When I started to look into the SPAM issue after the
migration, lists.owasp.org didn't even have MX records nor PTR records in
DNS.  I agree he did a ton of work for OWASP for a long time and we should
all be grateful for his past efforts.  From what I understand, he is not
wanting to take on OWASP IT work in general going forward so he is no
longer a viable option.  He did offer to provide a few of hours per month
to do IT for OWASP at $1,000 USD/month after the initial migration.
 However, once again, we had no job description or means to evaluate both
that pay rate and the work provided.

All paid OWASP employees currently have job descriptions and quarterly
goals.  I don't think it wise to  make an exception in this case - even if
there's a bit of pain for the community in the interim.

I feel very strongly that OWASP must make the most of the funds we are
given by the community and our supporters.  The board is the steward of
those funds and has a responsibility to ensure OWASP spends them wisely.

-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://AppSecLive.org <http://appseclive.org/> - Community and Download site

> Dinis Cruz
> On 3 June 2012 18:08, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>> Jim was in Austin recently and asked me about this.  I have no problem
>> with list admin's deciding to move lists over to Google groups if they
>> believe that's best for their recipients/group.  Do what you need to do to
>> further OWASP's mission.
>> However, since I talked with Jim, there's some news about lists.owasp.org
>> :
>> (1) The mail server on lists.owasp.org was setup with very low defaults
>> for inbound mail.  This was causing a bottle neck and mail was being
>> spooled for excessively long times on the Barracuda filtering host(s).  I
>> have since changed Sendmail (ugh) to allow unlimited inbound email from
>> Barracuda since that is the only source the mail server on lists will
>> actually answer (both on the firewall and MTA configuration level).
>>  Additionally, Barracuda already filters out SPAM and spool mail if the
>> mail server on lists gets overwhelmed (which is doubtful).
>> (2) Very shortly (I'd say 1 to 2 weeks out, lists.owasp.org will be
>> migrated to a new host.  One of two options will be used:
>> Option #1: Migrate to Open Source Labs (OSL) who hosts Mailman lists for
>> numerous open source projects already.  I am working through the details
>> and potential problems with that choice currently, though its is the
>> preferred option.
>> Option #2:  Migrate to Rackspace managed cloud where the migration will
>> allow a more optimized mail server configuration and changing from Sendmail
>> (ugh) to Postfix as the MTA/mail server.  OWASP will still need to manage
>> Mailman but Rackspace will mange OS, monitor, backup, etc.
>> In the middle of this Mailman mess, I've had medical issues with family
>> members, a funeral, am in the middle of relocating my family to San
>> Antonio, and I have (so far) avoided needing back surgery . Basically, my
>> spring has sucked. So between working my day job, selling my current house
>> and finding/buying a new one, I've had very little free time.
>> For the curious who are still reading this, I've attached a couple of
>> screenshots from Barracuda to give you an idea of the volume of traffic on
>> lists.owasp.org:
>> * blocked-spam.png = a partial listing of the SPAM blocked at 9:02 AM
>> this morning by Barracuda.  While lists still has issues, we are not seeing
>> a ton of SPAM thanks to Barracuda.
>> * inbound-overview.png = an overview of inbound email to lists.
>> * outbound-overview.png = an overview of outbound emails from lists (note
>> the 6.6 GB outbound bandwidth on May 28th)
>> As soon as the migration plan is finalized, I'll let you know.  It looks
>> the migration will take at most 1 hour of downtime (though Barracuda will
>> just spool mail during any downtime) so there shouldn't be loss of mail or
>> a large interruption in service.
>> Cheers!
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> On Tue, May 29, 2012 at 11:45 AM, Jim Manico <jim.manico at owasp.org>wrote:
>>> The OWASP emails lists are beyond messed up right now.
>>> I call for a full abort to Google Groups as an interstitial measure
>>> until this is resolved by the foundation.
>>> Several projects have already quietly made this move, and several
>>> chapters are considering it now.
>>> So, if your chapter or project is struggling with the Mailmain mess, do
>>> not ask for permission, just make the move to Google groups as you see
>>> fit until a workable solution presents itself. What we have now is NOT
>>> workable at all.
>>> Innovation and Experimentation are our core values so GO FOR IT.
>>> My 2 cents,
>>> --
>>> Jim Manico
>>> Connections Committee Chair
>>> Cheatsheet Series Product Manager
>>> OWASP Podcast Producer/Host
>>> jim at owasp.org
>>> www.owasp.org
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120610/b3137648/attachment-0001.html>

More information about the OWASP-Leaders mailing list