[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

[Stephen J. Turnbull]

Kalbfleisch, Gary writes:

 > inundated with confirmation request messages, and you cannot delete
 > them all at once on the "Tend to pending moderator requests"
 > screen.  You have to select "Discard" for each of them
 > individually.  I don't know if this has been changed yet.

As far as I can see, these are batchable (you only need to click
"Submit" once -- version 2.1.15, but I doubt this has changed in many
years).

Is your issue that the moderator has to tick each box?  I really don't
think that should change; otherwise you would lose valid subscription
requests when being attacked in this way.

Is the issue that lists get so many requests that it overflows the
screen, and you can only do (say) 20 at once?

 > I had to block access to the web interface from off site at our
 > router to stop the deluge of messages.

I think this is the best way to handle it.

There really ought to be a way for a host to request that a service be
firewalled programmatically, although it would have to be designed
*very* carefully.

 > I have seen this starting to occur at some other Mailman sites as
 > well.  Anyone else seeing this or have any ideas about how best to
 > handle this?  I have it under control for now but it is changing
 > the way we use our lists.

Sadly, I don't see how that can be avoided.  The problem is the SMTP
and HTTP protocols themselves, which have no easily used provision for
authentication or authorization of clients.  (How many students do you
know who walk around with a personal X.509 certificate?)

If you have suggestions for the admin interface, that would be very
helpful.  Even if you don't have a lot of confidence in them, this is
a hard problem that requires wild ideas.