[Mailman-Users] Handling bogus subscribe requests

Rosenbaum, Larry M. rosenbaumlm at ornl.gov
Tue Jan 12 11:18:59 EST 2016 

>From the "NEWS" file:

    - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
      a dynamically generated, hidden hash in the listinfo subscribe form and
      check it upon submission.  Setting this will prevent automated processes
      (bots) from successfully POSTing web subscribes without first retrieving
      and parsing the form from the listinfo page.  The form must also be
      submitted no later than FORM_LIFETIME nor no earlier than
      SUBSCRIBE_FORM_MIN_TIME after retrieval.  Note that enabling this will
      break any static subscribe forms on your site.  See the description in
      Defaults.py for more info.  (LP: #1082746)

> -----Original Message-----
> From: Mailman-Users [mailto:mailman-users-
> bounces+rosenbaumlm=ornl.gov at python.org] On Behalf Of Andrew Daviel
> Sent: Tuesday, January 12, 2016 4:18 AM
> To: mailman-users at python.org
> Subject: [Mailman-Users] Handling bogus subscribe requests
> 
> 
> In the last few days we've seen several thousand bogus subscription
> requests for various lists we host, send through the web interface. They
> seem to mostly originate in China.
> 
> We see log entries such as /var/log/mailman/subscribe
> Jan 11 20:50:30 2016 (27666) grsi-users: pending
> hellocatboots+80339132 at gmail.com  221.178.182.31
> and in the webserver logs
> 221.178.182.31 - - [10/Jan/2016:03:27:18 -0800] "POST
> /mailman/subscribe/grsi-users HTTP/1.1" 200
> 
> I'm not sure what the point is - a DoS attack on a few users, perhaps. I
> see that gmail gives you infinite aliases, so that hellocatboots+80339132
> is the same as hellocatboots+96529823 at gmail.com
> 
> Since most of these seem to originate with one netblock where we have, I
> believe, no legitimate users, I've added a Deny rule in httpd.conf.
> 
> I was wondering if other admins had seen this, and if there was a better
> way to control it than blocking an ip range.
> 
> Apart from all the variants of hellocatboots, we've seen a lot of posts
> for one unique user at kezukaya.com. The subscribe log shows hundreds of
> pending requests, from which I infer that mailman has no mechanism to
> track the fact that it already sent a "please confirm" message (we have
> mailman-2.1.18 on Centos 5).
> 
> --
> Andrew Daviel, TRIUMF, Canada
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-
> users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-
> users/rosenbaumlm%40ornl.gov

More information about the Mailman-Users mailing list