On 12/22/2016 01:53 PM, Jim Popovitch wrote:
I know the GLOBAL_BAN_LIST is for email addrs, but what would it take to implement the same (or some field validation logic) for the "fullname" field of the subscription page. I'm still seeing a ton of subscribe spam attempts, and the fullname field is consistently not a text name.
From nginx log:
...sales@apexgolfcarts.com&fullname=58562fbb70e22... ...ellenv3@hotmail.com&fullname=5856315b5b695... ...scottpickup2000@gmail.com&fullname=5856372a4e2f1... ...vanessae@live.com&fullname=58563aa6664bf... ...meagan@meaganlucyphoto.con&fullname=58563ab925ac7... ...saramardambey@gmail.com&fullname=58564566dc31b... ...dotthomas717@yahoo.com&fullname=5856456df0b96... ...scottpickup2000@gmail.com&fullname=58564b85ccf98...
If you only want to target user subscribes and not things like admin mass subscribes and invitations, you could modify Mailman/MailList.py in the AddMember() method around line 894
pattern = self.GetBannedPattern(email)
change that to
pattern = (self.GetBannedPattern(email) or
self.GetBannedPattern(realname))
Then you could add patterns like, e.g., '^[0-9af]{10,}' to the GLOBAL_BAN_LIST to match those real names.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan