[Bug 1082746] Re: Automated processes can swamp a list with web subscription requests.

Mark Sapiro mark at msapiro.net
Fri Sep 20 19:29:31 CEST 2013

I suspect it will only be a matter of time before other lists are
attacked too, especially since they have subscribe forms on other sites.

A proper implementation would include modifying the list admin GUI to
maintain a list attribute to control this, but I don't intend to do

You can patch Mailman/Cgi/listinfo.py at about line 188 and
Mailman/Cgi/subscribe.py at about line 125 as follows:

in each of those places, replace the line


with the 5 lines

        _switch = mlist.hash_subscribe
    except AttributeError:
        _switch = False
    if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch:

(if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and
the 2nd and 4th lines are indented 8 spaces.)

Then you can use bin/config_list with input

mlist.hash_subscribe = True

to set this for a list. Those lists for which mlist.hash_subscribe
exists and is True will require the hidden hash in the subscribe form.
Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Automated processes can swamp a list with web subscription requests.

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list