[Mailman-Users] Subscription flood

Robert Heller heller at deepsoft.com
Fri May 9 22:01:49 CEST 2014

At Fri, 09 May 2014 12:46:42 -0500 Bill Christensen <billc_lists at greenbuilder.com> wrote:

> On 5/8/14 12:02 PM, Mark Sapiro wrote:
> > On 05/08/2014 09:31 AM, Bill Christensen wrote:
> >> Question 1: Is it possible to reverse the order of approval and
> >> confirmation when requiring both?  The admin then can reject all those
> >> with duplicates, only allowing the (presumably real) single subscription
> >> requests to send out a confirmation request.
> >
> > It would require significant code changes.
> >
> >
> >> If so, how would that be done?
> >>
> >> Question 2: Any other suggestions on how to handle this?
> >>
> >> Currently running mailman 2.1.13_0 (Next stop is to MacPorts list to see
> >> if the maintainer will update the port to the latest version)
> >
> > There are mitigations which may help in Mailman 2.1.16. See
> > <https://bugs.launchpad.net/mailman/+bug/1082746>.
> >
> Ok, great.
> I temporarily removed the signup form from the listinfo page in hopes of 
> stemming the tide, and replaced it with a request to use the site's 
> contact form so that we can manually add interested subscribers.  I 
> purposely don't have a subscribe email address set up for this list.  
> But somehow they're still coming in - another 1300+ since yesterday.
> What other holes can I plug?

If you can determine the originating IP address (hint: look in Apache's
access_log), you can edit the mailman.conf file in /etc/http/conf.d and add in
a <limit> container with 'DENY *ip address*' lines -- the ip address given to
DENY can be a CIDR expression (w.x.y.z/n), allowing you to block whole
subnets (often the spammers just jump from machine to machine when one IP 
address is blocked or sometimes just have a cluster of machines pounding on 
the 'victim'). 

Also, it might make sense to install fail2ban and set up a filter for these 
requests and have fail2ban firewall the offensive IP addresses.

These spammers are not actually using the signup form -- removing the form has
no meaningful effect, once someone has gonked the CGI parameters and action
URL and since Mailman is open source, the CGI parameters and action URL are
published info and they just need to plug in your hostname and the list name
-- there is probably a program out there that takes these two parameters and
then 'randomly' generates *lots* subscription requests as a form of DDoS
attack. You *could* remove Execute bit from the CGI script / program that
handles that action. This will result in a 500 error from Apache and
effectively kills any possibility for anyone to sign up for any list served by
your server. Yes, extreme, but effective. Still, the best option is to firewall 
the spammers, either with an Apache DENY statement or using fail2ban.  

> Thanks.
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com

Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


More information about the Mailman-Users mailing list