[Mailman-Users] How to blocking malicious subscription requests?

David Gibbs david at midrange.com
Tue Sep 5 12:09:36 EDT 2017

On 9/5/2017 9:55 AM, Ian Kelling wrote:
> There is at least one very major mail provider where
> joe+any_string at domain goes to the inbox of joe by default, allowing
> bad people to get my mailman instance to send many subscription mails
> to joe+random_string at domain, messing up joe's inbox, because mailman
> just sees different addresses. Can mailman stop doing this? If not,
> I'm open to an exim rule to block or at least rate limit mailman from
> doing this too.

You can use BAN_LIST on a list by list basis or GLOBAL_BAN_LIST in the config (in MM 2.1.21).

My observation about the attack is that they are doing a GET on the subscribe page to retrieve the hidden sub_form_token form field value and then doing a post to do the subscribe.

I modified the source for my install of MM to change the hidden field name.

I've had no successful or unsuccessful subscribe attempts since.


IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness.  You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net.  My goal is $6000 but any amount is appreciated.

You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

More information about the Mailman-Users mailing list