[Mailman-Users] Limiting number of failed login attempts

[Stephen J. Turnbull]

Aditya Jain writes:

 > If I block a particular IP address because some disgruntled person
 > from the organization is trying to brute force, it will block
 > access for other legitimate users from that organization (because
 > they have only one IP dedicated to browsing traffic).

This is a social problem that Mailman ultimately can't solve, and
probably shouldn't try.

 > That is why I was looking for something that can look at the
 > username/email and block request or show captcha if number of
 > failed attempts cross a certain limit, at application(mailman)
 > level.
 > 
 > I think this is sounding more like a feature request.

I think this is sounding like a denial-of-service attack on the
legitimate users no matter how you try to defend them.  My experience
with such "disgruntled users" is that they don't hesitate to abuse
others' accounts for this purpose.  They also are often willing to go
to the trouble of acquiring software to automate captcha-breaking.

Perhaps a per-user login attempt limit would work for you.  Each
(ab)user is different.  But I don't think it's a good idea for a
supported feature of Mailman, it's too fragile and it would be an
invitation to an endless series of "improvements" as the admins get in
arms races with the rogues.

It might be possible to revisit this in Mailman 3 (when we get a
unified authn/authz story) using a token-based approach where the
token is acquired somewhere that already has a stronger authentication
story.  But that will require serious coding.