[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

[Stephen J. Turnbull]

Kalbfleisch, Gary writes:

 > Kalbfleisch, Gary responds:
 > 
 > Messages are batchable, but administrative tasks are not.  As you
 > noted you must tick each box, and yes I'm talking pages and pages
 > of bogus subscription requests.  Quite tedious.

This would be a bigger problem than losing valid requests if it was
frequent.

 > I think these too should be batchable but perhaps separately.  What
 > I would like to be able to do is to change all administrative
 > messages to discard (or whatever) with one click, then go back and
 > change the legitimate subscription requests back to accept.

I regularly lose posts to mailing lists because of this way of doing
things.

 > After analyzing the httpd logs I have identified three primary
 > sources of the bogus subscription requests, the most predominant
 > being associated with http://mailbait.info.

Wonderful.  Not much Mailman can do about the network-level DoS, but I
suppose the web interface could filter on referrers.  If mailbait.info
is in the Referrer header, return a 404. ;-)

 > > If you have suggestions for the admin interface, that would be very
 > > helpful.  Even if you don't have a lot of confidence in them, this is
 > > a hard problem that requires wild ideas.
 > > 
 > 
 > CAPTCHA for subscription requests would go a long way in preventing
 > this type of exploitation.

I'm pretty sure there are third-party extensions for this.

I'm dubious about the net value of CAPTCHAs.  Personally, I generally
take a CAPTCHA as a "NO TRESPASSING -- THIS MEANS YOU!" sign, and
don't go back.