[Pkg-mailman-hackers] Bug#900648: mailman: Set SUBSCRIBE_FORM_SECRET per default to reduce subscription spam

Ralf Jung post at ralfj.de
Sat Jun 2 18:40:34 BST 2018 

Package: mailman
Version: 1:2.1.23-1+deb9u2
Severity: normal

Dear Maintainer,

I recently realized that my mailman installations, despite not being big and at least one of them
not being easy to find from the internet, are being abused for subscription spam, with something
like 1500 messages per day per server.  Unfortunately mailman does not come with support for a
CAPTCHA, but what I did find after some research is the configuration option SUBSCRIBE_FORM_SECRET.
Setting that to a random string stopped the subscription spam immediately, probably because the
bots are too fast (1s between requesting the form and sending the POST), and mailman enforces
a 5s delay per default when that option is set.

Given that, I think that setting SUBSCRIBE_FORM_SECRET on more mailman setups could do a lot to
reduce the amount of subscription spam.  It'd be great if the Debian package could generate a
fresh random string upon installation and use that.  This would provide a more "secure by default"
setup.  Absent that, the default mm_cfg.py should at least come with a prominent note telling the
admin to please set this option to a unique string.  The only reason I had not set that option is
that I did not even know it exists, so such a prominent note could help.

Kind regards,
Ralf

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mailman depends on:
ii  apache2 [httpd]        2.4.25-3+deb9u4
ii  cron [cron-daemon]     3.0pl1-128+deb9u1
ii  debconf [debconf-2.0]  1.5.61
ii  libc6                  2.24-11+deb9u3
ii  logrotate              3.11.0-0.1
ii  lsb-base               9.20161125
ii  python                 2.7.13-2
ii  python-dnspython       1.15.0-1
ii  ucf                    3.0036

Versions of packages mailman recommends:
ii  postfix [mail-transport-agent]  3.1.8-0+deb9u1

Versions of packages mailman suggests:
pn  listadmin     <none>
pn  lynx          <none>
pn  spamassassin  <none>

-- Configuration Files:
/etc/logrotate.d/mailman changed [not included]

-- debconf information excluded

More information about the Pkg-mailman-hackers mailing list