Page MenuHomePhabricator

Mailman issues a "403 Forbidden" error when subscribing to a list
Closed, ResolvedPublic

Description

When we try to subscribe to one of the mailing lists on https://lists.wikimedia.org, we get a 403 error:

Forbidden
You don't have permission to access /mailman/subscribe/<listname> on this server.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Which specific mailing lists was this tested with? Which web browsers was this tested with?

(Likely unrelated, but I fail to see CSS applied and encoding errors for e.g. https://lists.wikimedia.org/mailman/listinfo/wikics-l in Firefox 60 and Chromium 65, due to Blocked loading mixed active content “http://cs.wikipedia.org/skins-1.5/common/*.css“)

  • Tested lists: wikimedia-l, wikimediafr and wlm-announce.
  • This was tested with Firefox 60 on Ubuntu 17.10 (on two computers), but I don't see how it is relevant for a server-side error. I tested again with Chromium 66, same error.

Indeed my CSS issues above are unrelated. I wonder if https://gerrit.wikimedia.org/r/#/c/432168/ could be somehow related here. CC'ing @herron.

One coworker tried to the glam list and had the same issue (Firefox 60 too). Another coworker spoke about the issue to @Sadads who says he can subscribe with no problem.

So, I did some further tests, and it seems that it is the IP of Wikimédia France's office that is blocked. Why?

Hi @Sylvain_WMFr could you share that IP address with me? I can trace logs on the lists server. By email would be great <kherron@wikimedia.org>

Thanks in advance!

IP received by email. Thanks!

Unfortunately it appears this address is listed on a few spam blocklists. Details about which lists and links to more information can be found by looking up the IP address with a tool like http://multirbl.valli.org

This is affecting list subscription because RBL checks at subscription time were implemented in https://gerrit.wikimedia.org/r/#/c/433671/ as a countermeasure against an increasing volume of list subscription spam.

My suggestion would be to coordinate submission of delisting requests for this IP and in the mean time subscribe to lists using a different IP address. If that isn't possible I'd be happy to help subscribe addresses as needed.

herron triaged this task as Medium priority.May 30 2018, 6:09 PM

Thanks!

I will investigate on why we are blocked, and we will use our smartphones to register in the meantime.

herron claimed this task.

Sounds good!

Vvjjkkii renamed this task from Mailman issues a "403 Forbidden" error when subscribing to a list to t5baaaaaaa.Jul 1 2018, 1:08 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed herron as the assignee of this task.
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
Sylvain_WMFr renamed this task from t5baaaaaaa to Mailman issues a "403 Forbidden" error when subscribing to a list.Jul 2 2018, 4:46 AM

While this ticket is reopened, I might as well update: it turns out that the IP has been on these blacklists since 2012, years before it was ours. I cannot remove it from all the lists because they are for IPs of email servers and it is not an one (so I cannot do the required DNS changes...)

Sylvain_WMFr lowered the priority of this task from High to Medium.Jul 2 2018, 10:56 AM

Hi, I ran into this problem over the last few days trying to subscribe to wikidata-tech while on the eduroam network (my public IP address of 194.94.98.189).

I then tried using my mobile phone (on the Vodafone network), and it responded "You're trying that too often. Please try again later."

Since the 429 "too often" error is thrown after multiple subscription attempts from the same IP maybe the phone was also connected to wifi at the time?

In any event I think we can tune the rate limit to a less aggressive setting now that the flood of spam subscription requests has slowed. Let's start by increasing it from 1 to 5 per hour and see how that goes.

Change 446617 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] mailman: increase per IP and per email rate limits from 1 to 5/hour

https://gerrit.wikimedia.org/r/446617

Change 446617 merged by Herron:
[operations/puppet@production] mailman: increase per IP and per email rate limits from 1 to 5/hour

https://gerrit.wikimedia.org/r/446617

This issue still persists in some IP Addresses from Cameroon I think. I've gotten folks poke about the 403 error. Thanks!

Mailing lists: Wikitech-l, African-Wikimedia-Developers

Does the problem still happen after waiting more than 30 minutes?

Apparently no. Now I'm subscribed successfully.

The RBL check that was causing 403s for subscription attempts from IPs listed on spam blacklists was reverted today with https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/464819/ so I'll transition this to resolved.