[Mailman-Users] How to blocking malicious subscription requests?

tlhackque tlhackque at yahoo.com
Tue Sep 5 12:12:36 EDT 2017

On 05-Sep-17 10:55, Ian Kelling wrote:
> There is at least one very major mail provider where
> joe+any_string at domain goes to the inbox of joe by default, allowing bad
> people to get my mailman instance to send many subscription mails to
> joe+random_string at domain, messing up joe's inbox, because mailman just
> sees different addresses. Can mailman stop doing this? If not, I'm open
> to an exim rule to block or at least rate limit mailman from doing this
> too.
This is correct behavior by both the mail service provider and by mailman.

The way to address the anti-social behavior described is to implement a
captcha, which
will effectively rate-limit subscription requests by bad actors -
usually to close to zero.

This has been discussed recently on this list.
> Also, is there a way to rate limit subscription requests even for the
> exact same email address? For example, don't allow someone to subscribe
> to list b if they have > 5 unconfirmed subscription requests in the last
> day?
I don't think so, but others more expert may respond.  If not, it seems
like a reasonable
feature request for MM3.  But a captcha will probably have the effect
that you want.

I use reCAPTCHA (now hosted by Google).  It seems to stay ahead of the
captcha-solver bots
most of the time.  It's important to choose one that is accessible to
people with disabilities.
> --
> Ian Kelling | Senior Systems Administrator, Free Software Foundation
> GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
> https://fsf.org | https://gnu.org

More information about the Mailman-Users mailing list