May 15, 2001
1:05 a.m.
Looking at it now, it's surprising that this hasn't happened sooner: SF's mailman was abused with someone creating a bogus project with a mailing list which was then used to subscribe about 10,000 people and then spam them into oblivion.
The best/worst part is how people made it a lot worse by complaining to the list itself and spamming one another after that: http://www.geocrawler.com/lists/3/SourceForge/10386/0/
Anyway, I patched admin.py to just disallow admin web subscribes altogether.
In order of preference, for a future mailman version, it'd be nice if mailman would:
- Have a config.db entry: allow web subscribes, that can only be changed by the mailman owner (i.e. master password, not list password)
- Easier: have a sitewide mm_cfg.py variable to allow/disallow web subscribes by the list admin
Thanks, Marc
Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key