[ mailman-Bugs-1448537 ] Limit number of subscribe requests in a period

SourceForge.net noreply at sourceforge.net
Mon Mar 13 04:30:12 CET 2006 

Bugs item #1448537, was opened at 2006-03-12 15:30
Message generated for change (Comment added) made by eric_black
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: security/privacy
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: EricB (eric_black)
Assigned to: Nobody/Anonymous (nobody)
Summary: Limit number of subscribe requests in a period

Initial Comment:
Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address. 
Defaults would be 1 request in 1 day.

This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address.  Currently the victim gets the verify.txt
template email for each submission.

----------------------------------------------------------------------

>Comment By: EricB (eric_black)
Date: 2006-03-12 19:30

Message:
Logged In: YES 
user_id=1474448

Thanks for the suggestion.  That helps if a user complains, but does not help 
in this scenario:

A malicious evil-doer discovers a spamtrap email address used by any of the 
many RBLs, and repeatedly submits that address in a subscribe request, 
either by forging email (trivial to do) or by repeatedly submitting the HTML 
form (also trivial to do).  The spamtrap receives multiple confirmation 
requests.

The first confirmation request should be ignored, because typos happen.

Subsequent confirmation requests may well be considered to be spam.  
Especially if there are 5 a day, let alone 100 in the space of an hour.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2006-03-12 19:19

Message:
Logged In: YES 
user_id=67709

You can suppress sending confirmation by putting the
victim's email address in ban_list from the admin page
(privacy section), if she/he is not willing to be added in
your list.  This may not work if the malicious user forges
the 'From:' header.  In this case, the victim may well
introduce some mail filter to get junk mails discarded
before they reach her/his eyes.


----------------------------------------------------------------------

Comment By: EricB (eric_black)
Date: 2006-03-12 15:47

Message:
Logged In: YES 
user_id=1474448

BTW, I've been running 2.1.5 with this problem, and 2.1.7
still exhibits the vulnerability.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_id=103

More information about the Mailman-coders mailing list