[Mailman-Users] POST based subscribe attacks

Stephen J. Turnbull stephen at xemacs.org
Tue Oct 30 02:40:50 CET 2012

Ben Cooksley writes:

 > A pity, as the subscription form definitely could do with the same
 > form of protection.

Think about what you're saying.  "Open subscription" either means open
subscription, or an admin has to do all the work.  There's no third
way.  (Well, there is, but it only applies to lists that don't need to
allow subscriptions from outside the firewall, and cannot be
implemented in Mailman itself.)

 > While i'm aware that CAPTCHA's can be broken, it does raise the level
 > of difficulty the spammer must go through to abuse your service.

No, it doesn't.  It's a one-time investment for the spammers, and
raises the level of difficulty for the *first* victim.  After that,
it's all free to them.

If you want CAPTCHA, what you *want* to do is to implement it
yourself.  Once it becomes standard in Mailman, it will be broken
(probably weeks before the official release), the exploit will be on
sale (ditto), and CAPTCHA will be worthless to you from then on.

Personally, I haven't seen any evidence of these attacks.  My lists
max at less than 1000 users, most are less than a dozen.  I suspect
this means that these miscreants are going after big lists because
they're big.  If so, there is probably enough profit in it that they
can afford to hire people to solve CAPTCHAs and PlayThru.

We need to rethink the whole model. :-(

More information about the Mailman-Users mailing list