[Mailman-Users] Mailman Security

Mark Sapiro mark at msapiro.net
Thu Jan 19 13:22:45 EST 2017


On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 18:55, Brian Carpenter <brian at emwd.com> wrote:
>

Odhiambo Washington wrote:
>>>
>>> Now this got me thinking: Once one has submitted a subscription request
>> and
>>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
>>> further subscription requests from the same address if they decide to
>>> submit such, and as such shouldn't send any other confirm/verification
>>> requests as long as there is one still pending??


Perhaps there should be a limit, but not an outright refusal because the
original confirmation email could have been lost.

In any case, I'm not interested in implementing this.



>> Subscription spam which is what I think you are experiencing has been dealt
>> with to a certain degree by recent versions of mailman. The following two
>> functions I believe would be of assistance are:
>>
>> SUBSCRIBE_FORM_SECRET
>> GLOBAL_BAN_LIST
>>
...
> So is it enough to add
> 
> SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> 
> to mm_cfg.py and restarting Mailman without doing any other thing??


That is sufficient to enable that feature and it will help block robotic
web subscribes, but there are bots now that are smart enough to mimic
human behavior in first getting the listinfo page and then waiting
before posting the subscribe form.


> The GLOBAL_BAN_LIST is self-explanatory when I read it.


There are various, widespread attacks of this nature, but none that I've
seen with the addresses you're seeing. There are several threads on this
in the archives of this list.

Look at some of the hits from searching at
<http://www.mail-archive.com/mailman-users%40python.org/> for
global_ban_list.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list