[Mailman-Users] POST based subscribe attacks

Ben Cooksley bcooksley at kde.org
Sun Oct 28 21:27:14 CET 2012

Hi all,

We at KDE are currently experiencing attacks upon our Mailman
installation, attempting to subscribe random email addresses (which
more often than not are valid unfortunately). These attacks are
conducted essentially through performing mass HTTP POST requests to
/subscribe/listname with few proceeding GET requests.

It seems that the attackers are capitalizing on Mailman's lack of CSRF
protection. Does anyone know if there are plans to add CSRF protection
into Mailman 2?
Alternately, is anyone aware of any form of CAPTCHA protection which
can be applied to Mailman?

It has gotten to the point where we have had to disable web based
subscriptions to our mailing lists due to this abuse.

Ben Cooksley
KDE Sysadmin

More information about the Mailman-Users mailing list