[Mailman-Users] Mailman Security
odhiambo at gmail.com
Thu Jan 19 14:35:43 EST 2017
On 19 January 2017 at 21:22, Mark Sapiro <mark at msapiro.net> wrote:
> On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> > On 19 January 2017 at 18:55, Brian Carpenter <brian at emwd.com> wrote:
> Odhiambo Washington wrote:
> >>> Now this got me thinking: Once one has submitted a subscription request
> >> and
> >>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline
> >>> further subscription requests from the same address if they decide to
> >>> submit such, and as such shouldn't send any other confirm/verification
> >>> requests as long as there is one still pending??
> Perhaps there should be a limit, but not an outright refusal because the
> original confirmation email could have been lost.
> In any case, I'm not interested in implementing this.
> >> Subscription spam which is what I think you are experiencing has been
> >> with to a certain degree by recent versions of mailman. The following
> >> functions I believe would be of assistance are:
> >> SUBSCRIBE_FORM_SECRET
> >> GLOBAL_BAN_LIST
> > So is it enough to add
> > SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> > to mm_cfg.py and restarting Mailman without doing any other thing??
> That is sufficient to enable that feature and it will help block robotic
> web subscribes, but there are bots now that are smart enough to mimic
> human behavior in first getting the listinfo page and then waiting
> before posting the subscribe form.
Thanks for the clarification. Now I'll just wait and see if the smart bots
> > The GLOBAL_BAN_LIST is self-explanatory when I read it.
> There are various, widespread attacks of this nature, but none that I've
> seen with the addresses you're seeing. There are several threads on this
> in the archives of this list.
> Look at some of the hits from searching at
> <http://www.mail-archive.com/mailman-users%40python.org/> for
Seen that. Usable, but not everything, given that some addresses on my list
are well-known free mail providers.
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
More information about the Mailman-Users