[Mailman-Users] POST based subscribe attacks
bcooksley at kde.org
Sun Oct 28 21:27:14 CET 2012
We at KDE are currently experiencing attacks upon our Mailman
installation, attempting to subscribe random email addresses (which
more often than not are valid unfortunately). These attacks are
conducted essentially through performing mass HTTP POST requests to
/subscribe/listname with few proceeding GET requests.
It seems that the attackers are capitalizing on Mailman's lack of CSRF
protection. Does anyone know if there are plans to add CSRF protection
into Mailman 2?
Alternately, is anyone aware of any form of CAPTCHA protection which
can be applied to Mailman?
It has gotten to the point where we have had to disable web based
subscriptions to our mailing lists due to this abuse.
More information about the Mailman-Users