[Pkg-mailman-hackers] Bug#900648: mailman: Set SUBSCRIBE_FORM_SECRET per default to reduce subscription spam
Ralf Jung
post at ralfj.de
Sun Jun 3 09:32:48 BST 2018
Hi,
>> I recently realized that my mailman installations, despite not being big
>> and at least one of them
>> not being easy to find from the internet, are being abused for
>> subscription spam, with something
>> like 1500 messages per day per server. Unfortunately mailman does not
>> come with support for a
>> CAPTCHA, but what I did find after some research is the configuration
>> option SUBSCRIBE_FORM_SECRET.
>> Setting that to a random string stopped the subscription spam immediately,
>> probably because the
>> bots are too fast (1s between requesting the form and sending the POST),
>> and mailman enforces
>> a 5s delay per default when that option is set.
>
> Thanks for the suggestion. I've been flooded myself aswell.
>
> One thing that also seems to help is to require "confirm" for new
> subscriptions, in my experience.
I have most of my lists set to "Confirm". The "subscription spam" is exactly
about those confirmation emails Mailman sends to validate your email address.
The goal of the attackers seems to be to just fill the victim's inbox with
thousands of emails saying "please confirm to join this mailing list".
Using "Require approval" instead will just mean the list owner gets flooded with
these requests instead of the victims, which is not a great situation either.
Kind regards,
Ralf
More information about the Pkg-mailman-hackers
mailing list