[Mailman-Users] Mailman Security

Odhiambo Washington odhiambo at gmail.com
Thu Jan 19 14:35:43 EST 2017 

On 19 January 2017 at 21:22, Mark Sapiro <mark at msapiro.net> wrote:

> On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> > On 19 January 2017 at 18:55, Brian Carpenter <brian at emwd.com> wrote:
> >
>
> Odhiambo Washington wrote:
> >>>
> >>> Now this got me thinking: Once one has submitted a subscription request
> >> and
> >>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline
> any
> >>> further subscription requests from the same address if they decide to
> >>> submit such, and as such shouldn't send any other confirm/verification
> >>> requests as long as there is one still pending??
>
>
> Perhaps there should be a limit, but not an outright refusal because the
> original confirmation email could have been lost.
>
> In any case, I'm not interested in implementing this.
>
>
>
> >> Subscription spam which is what I think you are experiencing has been
> dealt
> >> with to a certain degree by recent versions of mailman. The following
> two
> >> functions I believe would be of assistance are:
> >>
> >> SUBSCRIBE_FORM_SECRET
> >> GLOBAL_BAN_LIST
> >>
> ...
> > So is it enough to add
> >
> > SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> >
> > to mm_cfg.py and restarting Mailman without doing any other thing??
>
>
> That is sufficient to enable that feature and it will help block robotic
> web subscribes, but there are bots now that are smart enough to mimic
> human behavior in first getting the listinfo page and then waiting
> before posting the subscribe form.
>
>
Thanks for the clarification. Now I'll just wait and see if the smart bots
are involved.



>
> > The GLOBAL_BAN_LIST is self-explanatory when I read it.
>
>
> There are various, widespread attacks of this nature, but none that I've
> seen with the addresses you're seeing. There are several threads on this
> in the archives of this list.
>
> Look at some of the hits from searching at
> <http://www.mail-archive.com/mailman-users%40python.org/> for
> global_ban_list.
>


Seen that. Usable, but not everything, given that some addresses on my list
are well-known free mail providers.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

More information about the Mailman-Users mailing list