[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

[Stephen J. Turnbull]

Ben Cooksley writes:

 > If Mailman were to implement basic CSRF protection for all POST requests
 > that would also slow the attackers down I suspect (as they would have to
 > make a GET request first and parse it).

It might slow a human down, but as soon as it becomes a feature of
Mailman, the attackers will implement the necessary countermeasure (if
it isn't already implemented because they use libcurl or so in their
program!)  Bandwidth?  CPU?  These guys have no such constraints.

 > One thing I do know is that at least for us the attacks all
 > appeared to be coming from Tor endpoints or open web proxies.

Big surprise.  Not to mention demonstrating that CSRF protection won't
help, because you're dealing with real players, not junior high school
students from a fishing village in western Japan.

The problem here is that you cannot authenticate users you don't
already know.  So CSRF just adds a "get a free token" step to the
automated process.  I'm sure all the major libraries already implement
this, so unless the attackers are remarkably stupid, undoubtedly the
needed code is immediately to hand.

One partial solution would be to allow OpenID logins to the website to
use it to register subscriptions.  Of course you probably can't trust
Google or Yahoo accounts. ;-)