[Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

Mark Sapiro mark at msapiro.net
Mon Nov 19 02:09:08 CET 2012

Ben Cooksley wrote:
>If Mailman were to implement basic CSRF protection for all POST requests
>that would also slow the attackers down I suspect (as they would have to
>make a GET request first and parse it).

I have implemented a simple version of what I think you requested in
your post at

It is implemented by the attached patch against Mailman 2.1.15. The
patch will apply to versions 2.1.12 and later with at most line number
changes, For older versions, the hashing function
Mailman.Utils.sha_new doesn't exist and will need to be changed in the
patch to something else. Note that the patch only enables configuring
the token for the listinfo subscribe form. To actually enable
placement and checking of the token, one must assign a non-empty
string value to SUBSCRIBE_FORM_SECRET in mm_cfg.py. I.e.,

SUBSCRIBE_FORM_SECRET = 'Some site specific string'

The actual token is a hex digest of a sha hash of this string plus the
list's internal name plus the IP address of the caller.

A more secure token would include something more random such as the
time of day, but would be a bit more cumbersome to implement -
volunteers are welcome.

Let us know if this helps.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20121118/01da155a/attachment.txt>

More information about the Mailman-Users mailing list