[Mailman-Users] Handling bogus subscribe requests
advax at triumf.ca
Tue Jan 12 23:03:03 EST 2016
On Tue, 12 Jan 2016, Mark Sapiro wrote:
> On 01/12/2016 08:18 AM, Rosenbaum, Larry M. wrote:
>>> From the "NEWS" file:
>> - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET ...
> This is only partially effective against this attack.
Thanks for the info.
Typical of me, I kept looking for a workaround after posting and didn't
see this straight away. I will look into SUBSCRIBE_FORM_SECRET.
Meanwhile, I found the bot was evading the address block ban by using
other hosts, and have tried adding a simple CAPTCHA based on Apache anonymous
authentication. If a user tries to access a mailman script from offsite,
they get a 401 rejection and a prompt to login with a simple username
(which changes every hour)
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Mailman-Users