Michael, here's the thing that worries me, and the reason I concentrated on getting as much junk as possible out of the subscriber rosters. In a word, spamtraps. Spamtraps already subscribed, and still subscribed.
http://www.uceprotect.net/en/rblcheck.php?ipr=96.86.170.229 , as an example of the (several) remaining DNSBL entries, says:
What does it mean to be listed at the UCEPROTECT-Level 1? It means abusive activity was seen from IP 96.86.170.229 directly within the last 7 days.
Concrete allegation: IP 96.86.170.229 tried to deliver mail to spamtraps.
_If_ bogus subscriptions have been allowed in the past, then one or more of the subscriptions, to one or more of the four BALUG mailing lists, almost certainly are still spamtraps -- unless I lucked out and pruned them in my recent work.
SO: The above-cited URL permits "express delisting" from the cited DNSBL -- with the caveat that if we haven't fixed the underlying problem, we'll soon get relisted.
I would invite you to look over the situation, then tell me your thoughts about how/whether we can tell that we aren't going to get bogus subscriptions (without 3-way handshake) going forward, and that we don't have any spamtrap addresses remaining in the rosters.
Worst case, if we're pretty sure that bogus subscriptions _have_ been possible, but we've scotched that, e.g., with the mm_cfg.py secret key for subscription forms, then we might have to bite the bullet and require all existing subscribers to re-confirm their desire to be present.
I wrote, in relation to the UCEPROTECT-Level 1 listing:
_If_ bogus subscriptions have been allowed in the past, then one or more of the subscriptions, to one or more of the four BALUG mailing lists, almost certainly are still spamtraps -- unless I lucked out and pruned them in my recent work.
_Moreover_, even if I removed the spamtrap address(es) in my recent pruning, the big question remains:
How did the BALUG IP come to be sending mail to one or more spamtrap, within the past week?
Unless/until we have a good answer to that, it seems to me we have a big, fundamental problem.
I wrote:
What does it mean to be listed at the UCEPROTECT-Level 1? It means abusive activity was seen from IP 96.86.170.229 directly within the last 7 days.
Concrete allegation: IP 96.86.170.229 tried to deliver mail to spamtraps.
Progress: UCEPROTECT-Level 1 (and all other UCEPROTECT) DNSBLs no longer list 96.86.170.229 . This is reassuring! It would be quite bad if we had unknown spamtraps on the subscriber rosters. I'm still a bit worried, in that it's troubling that at least one (allegedly) was _on_ the roster(s), raising (as I said) the troubling question of whether there is a vulnerability permitting subscribing users without three-way handshake confirmation.
Michael, I hope you will get around to confirming that the local config to add a nonce (or whatever it's called) to the subscription POST data is in place. That is non-default.
https://multirbl.valli.org/dnsbl-lookup/96.86.170.229.html now shows a subset of six out of the (if memory serves) nine recently showing.
Vexingly, the postmaster.rfc-clueless.org one for FQDN balug.org (and thus for lists.balug.org) is still there, although I asked removal. I _hope_ this means that removel request is still pending.
Michael, I would still appreciate your attention to the remaining entries on https://multirbl.valli.org/dnsbl-lookup/96.86.170.229.html . Some, such as SORBs, really ought to be addressed by the system siteadmin. (Again, for SORBS, create a SORBS login.)