Hackers subscribing lots of people
![](https://secure.gravatar.com/avatar/fd77a9387963da792ed91b5ab48b24ea.jpg?s=120&d=mm&r=g)
Hello,
We're running mailman 2.
Quite a few script kiddies and other idiots have figured out that they can use our mailman installation to annoy people. They bypass the subscribe page directly, and run cgi-bin/subscribe directly - many, many times.
We fixed the problem by removing the appropriate executable permission from cgi-bin/subscribe and rewriting the list info page to handle subscriptions differently. (We removed the Subscribe fields and button.)
While this works, it's inelegant and a bit convoluted.
Is there another way to prevent this, and leave the default info page intact?
Thanks.
::Jack
![](https://secure.gravatar.com/avatar/fb16bc6b490dbaddb44d743089b2f5ab.jpg?s=120&d=mm&r=g)
From: John <j_p_waterhouse@hotmail.com> Date: Tue, 16 Jul 2024 19:33:41 +0000
John wrote:
I saw a subscribe flood too on my Mailman2, to sub. all lists on server, I had assumed it was preparatory to a spam flood later, but it could have been to annoy a 3rd party innocent.
They bypass the subscribe page directly, and run cgi-bin/subscribe directly - many, many times.
I didnt have time to analyse mine.
A half baked idea: Hack the mailman install scripts to rum a random key generator, & that random key include in generated html pages & cgi install paths eg cgi-bin/random1234random/subscribe It would make dumb script attacks a lot more time comsuming, smart attack scripts would have to become more complex, adapting per host or list name.
Better would be encrypted keys.
I wonder if MM3 have already solved this.
Sorry I have no time to experiment, I'm in mid move.
Cheers,
Julian Stacey. http://berklix.org/jhs/mail/ Gmail fails. http://StolenVotes.UK Arm Ukraine. Contraception V. global warming. http://nao.org.uk/topics/brexit/ BRoken EXIT: BRitain EXcluded Impacts Trade.
![](https://secure.gravatar.com/avatar/22a09d8e743b6c5ea3a340d7f7f3eaf1.jpg?s=120&d=mm&r=g)
John wrote:
Quite a few script kiddies and other idiots have figured out that they can use our mailman installation to annoy people. They bypass the subscribe page directly, and run cgi-bin/subscribe directly - many, many times.
Did you try setting SUBSCRIBE_FORM_SECRET in /etc/mailman/mm_cfg.py ?
-- \ J. Dollinger FAW/n Ulm |zeitnot@irc| http://www.home.pages.de/~zeitnot/ \ "What're quantum mechanics?" -- "I don't know. People who / \ repair quantums, I suppose." (Terry Pratchett, Eric) /
![](https://secure.gravatar.com/avatar/fb16bc6b490dbaddb44d743089b2f5ab.jpg?s=120&d=mm&r=g)
From: John <j_p_waterhouse@hotmail.com> Date: Tue, 16 Jul 2024 19:33:41 +0000
John wrote:
I saw a subscribe flood too on my Mailman2, to sub. all lists on server, I had assumed it was preparatory to a spam flood later, but it could have been to annoy a 3rd party innocent.
They bypass the subscribe page directly, and run cgi-bin/subscribe directly - many, many times.
I didnt have time to analyse mine.
A half baked idea: Hack the mailman install scripts to rum a random key generator, & that random key include in generated html pages & cgi install paths eg cgi-bin/random1234random/subscribe It would make dumb script attacks a lot more time comsuming, smart attack scripts would have to become more complex, adapting per host or list name.
Better would be encrypted keys.
I wonder if MM3 have already solved this.
Sorry I have no time to experiment, I'm in mid move.
Cheers,
Julian Stacey. http://berklix.org/jhs/mail/ Gmail fails. http://StolenVotes.UK Arm Ukraine. Contraception V. global warming. http://nao.org.uk/topics/brexit/ BRoken EXIT: BRitain EXcluded Impacts Trade.
![](https://secure.gravatar.com/avatar/22a09d8e743b6c5ea3a340d7f7f3eaf1.jpg?s=120&d=mm&r=g)
John wrote:
Quite a few script kiddies and other idiots have figured out that they can use our mailman installation to annoy people. They bypass the subscribe page directly, and run cgi-bin/subscribe directly - many, many times.
Did you try setting SUBSCRIBE_FORM_SECRET in /etc/mailman/mm_cfg.py ?
-- \ J. Dollinger FAW/n Ulm |zeitnot@irc| http://www.home.pages.de/~zeitnot/ \ "What're quantum mechanics?" -- "I don't know. People who / \ repair quantums, I suppose." (Terry Pratchett, Eric) /
participants (3)
-
John
-
Juergen Dollinger
-
Julian H. Stacey