I suspect it will only be a matter of time before other lists are attacked too, especially since they have subscribe forms on other sites. A proper implementation would include modifying the list admin GUI to maintain a list attribute to control this, but I don't intend to do that. You can patch Mailman/Cgi/listinfo.py at about line 188 and Mailman/Cgi/subscribe.py at about line 125 as follows: in each of those places, replace the line if mm_cfg.SUBSCRIBE_FORM_SECRET: with the 5 lines try: _switch = mlist.hash_subscribe except AttributeError: _switch = False if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch: (if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and the 2nd and 4th lines are indented 8 spaces.) Then you can use bin/config_list with input mlist.hash_subscribe = True to set this for a list. Those lists for which mlist.hash_subscribe exists and is True will require the hidden hash in the subscribe form. Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in mm_cfg.py. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions