[Mailman-Users] How to stop mail-bombers from abusing web subscribe page

Daniel Miller dmiller at nmap.com
Thu Jul 16 20:42:04 CEST 2015

Hi all,

We have discovered "mail bomber" programs like "boom mail" abusing the web
"subscribe" feature of Mailman 2.1.15 to send hundreds of subscription
confirmation messages to addresses that then complain to us and report us
as spammers. Is there a canonical way to deal with this? The ones we see
look like this in our web logs: nmap.org - [29/Jun/2015:15:03:03 +0000] "GET
/mailman/subscribe/announce?email=ALLCAPS.EMAIL at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe
HTTP/1.1" 504 323 "http://ugbox.club/boommail_bachdev/" "Mozilla/5.0
(Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

We ended up using this config in Apache:

  <Location /mailman/subscribe>
    # Stop spammers from sending tons of GET requests to mail-bomb victims
with subscription confirmations
    <LimitExcept POST>
    Deny from All
    # Those spammers never set referer correctly, either
    RewriteEngine On
    RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
    RewriteRule .* [NC,F]

We'd love to hear if there's a better way to do this.


More information about the Mailman-Users mailing list