[Mailman-Users] Distributed mass subscribe attack?

tlhackque tlhackque at yahoo.com
Fri Aug 18 12:25:36 EDT 2017

On 17-Aug-17 16:47, Andy Cravens wrote:
> David,
> I forgot to mention I’m also working on a modsecurity rule to look at all POSTs
> and reject if they contain an email address with a + sign.
I understand the drive to suppress an attack.  However, + is valid in
e-mail addresses.  It's frequently used by people to setup auto-filing
rules, and/or to track the source of addresses harvested for SPAM.

I strongly discourage any service provider from defining what formats of
e-mail addresses are acceptable.  Such definitions, however
well-intentioned, are almost always wrong - and effectively blindly deny

We've seen this with hardcoded lists of TLDs (there'll never be more
than 13.  + CC TLDs. + IDN + freemarket...).  And every variety of
mailbox name format restriction - character set, length, "bad words", ...

If an address is valid per RFC822 (2822,5322, ...), accept it.

But by all means use other approaches to suppress attacks.  Captchas are
probably your best shot.  Rate limiting can help.  You can use
(imperfect) filtering by geolocating by IP address - if your client base
doesn't include the whole world.   Other tricks include telling the user
to wait a minute or two before clicking submit; discard or require
re-submission of early responses.  Bots won't do that. 

No matter what you do, the spammers will adapt, eventually.  But unless
you're a particularly appealing target, they're likely to move on if you
do almost anything unusual.

More information about the Mailman-Users mailing list