[Mailman-Users] How to stop mail-bombers from abusing web subscribe page
Daniel Miller
dmiller at nmap.com
Thu Jul 16 20:42:04 CEST 2015
Hi all,
We have discovered "mail bomber" programs like "boom mail" abusing the web
"subscribe" feature of Mailman 2.1.15 to send hundreds of subscription
confirmation messages to addresses that then complain to us and report us
as spammers. Is there a canonical way to deal with this? The ones we see
look like this in our web logs:
104.154.46.32 nmap.org - [29/Jun/2015:15:03:03 +0000] "GET
/mailman/subscribe/announce?email=ALLCAPS.EMAIL at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe
HTTP/1.1" 504 323 "http://ugbox.club/boommail_bachdev/" "Mozilla/5.0
(Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
We ended up using this config in Apache:
<Location /mailman/subscribe>
# Stop spammers from sending tons of GET requests to mail-bomb victims
with subscription confirmations
<LimitExcept POST>
Deny from All
</LimitExcept>
# Those spammers never set referer correctly, either
RewriteEngine On
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
RewriteRule .* [NC,F]
</Location>
We'd love to hear if there's a better way to do this.
Dan
More information about the Mailman-Users
mailing list