[Mailman-Users] POST based subscribe attacks

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Mon Oct 29 20:15:00 CET 2012

* Ben Cooksley <bcooksley at kde.org>:
> Hi all,
> We at KDE are currently experiencing attacks upon our Mailman
> installation, attempting to subscribe random email addresses (which
> more often than not are valid unfortunately). These attacks are
> conducted essentially through performing mass HTTP POST requests to
> /subscribe/listname with few proceeding GET requests.
> It seems that the attackers are capitalizing on Mailman's lack of CSRF
> protection. Does anyone know if there are plans to add CSRF protection
> into Mailman 2?
> Alternately, is anyone aware of any form of CAPTCHA protection which
> can be applied to Mailman?
> It has gotten to the point where we have had to disable web based
> subscriptions to our mailing lists due to this abuse.

Interestingly this could be the cause for the recent onslaught of fake
subscription attemps at mail.python.org

You definitely get a +1 for me on this one :)

Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de        Campus Benjamin Franklin
http://www.charite.de              Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

More information about the Mailman-Users mailing list