[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

Ben Cooksley sourtooth at gmail.com
Sat Nov 17 18:49:03 CET 2012

[Post by list member from an unsubscribed address]

On Nov 18, 2012 4:07 AM, "Petersen, Kirsten J - NET" <
Kirsten.Petersen at oregonstate.edu> wrote:
> Gary, et al:
> The Mailman lists at Oregon State University have been receiving
excessive request for subscriptions since mid-October as well.  Our list
administrators were suspicious because often the names on the requests did
not match the email addresses.  Also, many lists that had been defunct for
years were receiving requests, too.
> I spent some time trying to figure out what the lists that were being hit
had in common.  Not all of the lists receiving requests were advertised on
the listinfo page.  Today I realized that all of the lists involved in this
attack have their subscribe_policy set to just "require approval" rather
"confirm" or "confirm and approve".  So I think the theory that spammers
were just trying to get on the lists to harvest member addresses is
probably correct.
> My folks are beating down my door for a solution, too, and I can't think
of a good one.  We host lists for the international community, so any
measure I take that makes it harder for external people to subscribe will
negatively impact intended use.  I am going to advise my list admins to
enable confirmation, which should discourage these attempts.  It also
occurred to me that I could write a script to monitor the vette log and
purge requests that look suspicious - mainly based on the same email
address attempting to subscribe to multiple unrelated lists at the same

At KDE we took the semi drastic measure of allowing the commencement of
mailing list subscription by email only as the attackers use HTTP POST to
perform their attacks.

If Mailman were to implement basic CSRF protection for all POST requests
that would also slow the attackers down I suspect (as they would have to
make a GET request first and parse it).

One thing I do know is that at least for us the attacks all appeared to be
coming from Tor endpoints or open web proxies.


[Quoted footers removed by moderator]

More information about the Mailman-Users mailing list