forbidding subscriptions to a list
I am maintaining a list on mailman 2.1.18 on a server I have no control (actually it is some 1000's km from here). The list is absolutely closed, reserved to a committee with a small membership which is updated, if any, every severl years.
In the last days the list is receiving subscription requests from odd addresses, apparently in couples. When I found two of them yesterday, I rejected them with a notice "list usage reserved ....". Today I found a mail announcing two further requests, and when I entered the administrative interface found two more.
I would like to close completely the list from subscription requests (so that they can be inserted only by the administrators).
I thought to set ban_list ^.*@.*
Is there any other better option ? Will the ban_list interfere with existing subscriptions ?
(sent in Bcc to the other list maintainers)
-- Lucio Chiappetti - INAF/IASF - via Corti 12 - I-20133 Milano (Italy) For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
Hello
Am 21.08.20 um 09:53 schrieb Lucio Chiappetti:
I am maintaining a list on mailman 2.1.18 on a server I have no control (actually it is some 1000's km from here). The list is absolutely closed, reserved to a committee with a small membership which is updated, if any, every severl years.
In the last days the list is receiving subscription requests from odd addresses, apparently in couples. When I found two of them yesterday, I rejected them with a notice "list usage reserved ....". Today I found a mail announcing two further requests, and when I entered the administrative interface found two more.
I would like to close completely the list from subscription requests (so that they can be inserted only by the administrators).
I thought to set ban_list ^.*@.*
Is there any other better option ? Will the ban_list interfere with existing subscriptions ?
This is a known attack wave, running since 2 days now. Where Skripts use the web interface to subscribe a lot of email addresses.
I do not know how to disable the subscription page altogether. I assume Mark will comment on that :-)
We are mitigating this by:
- subscription requires admin to agree
- Hardening web interface with settings in mm_cfg.py: SUBSCRIBE_FORM_SECRET SUBSCRIBE_FORM_MIN_TIME BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE RECAPTCHA_SITE_KEY RECAPTCHA_SECRET_KEY
Kind regards, Christian Mack
On 8/21/20 12:53 AM, Lucio Chiappetti wrote:
I would like to close completely the list from subscription requests (so that they can be inserted only by the administrators).
I thought to set ban_list ^.*@.*
Even simpler is just
^
in the ban list, but yours will work.
Is there any other better option ?
Probably not.
Will the ban_list interfere with existing subscriptions ?
Only for changes of address in Mailman 2.1. In 2.1, the ban list only affects subscription and changes of address (you cant change an address to one which is banned). However, even an admin can't subscribe a banned address. To add new members, you'd need to first remove the match all pattern from the ban_list and then add it back.
This changes in Mailman 3. In MM 3, banned addresses can't post either.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Lucio Chiappetti
-
mailman-admin
-
Mark Sapiro