[Mailman-Users] Handling bogus subscribe requests

Andrew Daviel advax at triumf.ca
Tue Jan 12 23:03:03 EST 2016

On Tue, 12 Jan 2016, Mark Sapiro wrote:

> On 01/12/2016 08:18 AM, Rosenbaum, Larry M. wrote:
>>> From the "NEWS" file:
>>     - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET ...
> This is only partially effective against this attack.

Thanks for the info.

Typical of me, I kept looking for a workaround after posting and didn't 
see this straight away. I will look into SUBSCRIBE_FORM_SECRET.

Meanwhile, I found the bot was evading the address block ban by using 
other hosts, and have tried adding a simple CAPTCHA based on Apache anonymous 
authentication. If a user tries to access a mailman script from offsite, 
they get a 401 rejection and a prompt to login with a simple username 
(which changes every hour)

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

More information about the Mailman-Users mailing list