[Mailman-Users] Handling bogus subscribe requests

Perry E. Metzger perry at piermont.com
Sat Jan 16 20:13:08 EST 2016

On Sat, 16 Jan 2016 16:52:29 -0800 Mark Sapiro <mark at msapiro.net>
> On 01/16/2016 04:02 PM, Perry E. Metzger wrote:
> > 
> > I have direct evidence that the asshats are now using "+" strings
> > after the main address that are not strictly numeric. They seem to
> > have responded to the simple ways of stopping them.
> I haven't seen any like that yet. The regexp I use is ^.*\+.*\d{3,}@
> which will block anything between '+' and '@' as long as it ends
> with 3 digits.
> Please provide some examples. If there is any discernable pattern,
> it might be blockable without impacting real subscribers.

I don't have a lot of examples (haven't been saving them as I nuke
stuff out of the postfix queue) but I just nuked one aimed at what
I could characterize as user\+[a-z]+[0-9]@gmail.com

In each case, the instances in the queue had this or equivalent back
from google:

(host gmail-smtp-in.l.google.com[] said: 450-4.2.1 The
user you are trying to contact is receiving mail at a rate that
450-4.2.1 prevents additional messages from being delivered. Please
resend your 450-4.2.1 message at a later time. If the user is able to
receive mail at that 450-4.2.1 time, your message will be delivered.
For more information, please 450-4.2.1 visit 450 4.2.1
https://support.google.com/mail/answer/6592 75si22222236qgm.43 -
gsmtp (in reply to RCPT TO command))

I already had a regexp in to nuke everything aimed at a post-+
section with just digits. I'm reluctant to go further than that
immediately, although I suspect trailing digits after alphabeticals
are also unlikely to be real submailboxes.

> Other possibilities are disabling web subscribe all together or
> installing some kind of captcha (ugh) in the page. Experience shows
> that SUBSCRIBE_FORM_SECRET doesn't stop them unless perhaps
> SUBSCRIBE_FORM_MIN_TIME is set long enough that it becomes a
> problem for real subscribers.

Would it be hard to add optional recaptcha support for the pages with
forms in a future release? That would probably prevent most such
games and it doesn't seem so bad.

Perry E. Metzger		perry at piermont.com

More information about the Mailman-Users mailing list