[Mailman-Users] Handling bogus subscribe requests

Mark Sapiro mark at msapiro.net
Sat Jan 16 19:52:29 EST 2016 

On 01/16/2016 04:02 PM, Perry E. Metzger wrote:
> 
> I have direct evidence that the asshats are now using "+" strings
> after the main address that are not strictly numeric. They seem to
> have responded to the simple ways of stopping them.


I haven't seen any like that yet. The regexp I use is ^.*\+.*\d{3,}@
which will block anything between '+' and '@' as long as it ends with 3
digits.

Please provide some examples. If there is any discernable pattern, it
might be blockable without impacting real subscribers.

I haven't actually seen kemo.mart or kezukaya + digits @gmail for 5
days. The last five days have been all hellocatboots+<eight
digits>@gmail.com, although a few days ago a bunch of 'ichiba at
kezukaya.com' actually got through. (I'm now banning that one too)


> What's a good technique at this point to slow them down besides
> regexps? I'm stuck on 2.1.18 at the moment as a debian user.


Based on the one above getting through, I wrote the script at
<https://www.msapiro.net/scripts/erase> (mirrored at
<http://fog.ccsf.edu/~msapiro/scripts/erase>) to 'erase' an address from
all lists.  I.e. for every list, if the address is a member, it is
removed. If there are any posts or (un)subscription requests from the
address awaiting moderator action, they are removed and optionally any
subscripions for the address awaiting user confirmation are discarded too.

As far as I can tell, even if the address isn't banned, unless you allow
open subscribe which is a bad idea for many reasons, the subscription
will require user confirmation, moderator approval, or both.

Those that require confirmation (or both) will never be confirmed
because the bots don't get the confirmation request email, but they do
create back-scatter (the confirmation request email) to the address.
Those that require moderator approval will presumably be discarded, but
are a moderator burden. The script can deal with all that at once.

Other possibilities are disabling web subscribe all together or
installing some kind of captcha (ugh) in the page. Experience shows that
SUBSCRIBE_FORM_SECRET doesn't stop them unless perhaps
SUBSCRIBE_FORM_MIN_TIME is set long enough that it becomes a problem for
real subscribers.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list