[Mailman-Users] Somebody could not subscribe to pypy-dev at python.org

[Stephen J. Turnbull]

Laura Creighton writes:

 > become all the more common in the future.  Is insisting that the IP
 > addresses match serving a useful purpose?

Yes.  Differing request origins is the characteristic signature of a
CSRF attack.[1]  I suppose the site could resolve the IP to a domain,
but that would slow things down significantly.

 > Should we have a more informative error message?


Footnotes: 
[1]  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29