On 9/5/2017 9:55 AM, Ian Kelling wrote:
There is at least one very major mail provider where joe+any_string@domain goes to the inbox of joe by default, allowing bad people to get my mailman instance to send many subscription mails to joe+random_string@domain, messing up joe's inbox, because mailman just sees different addresses. Can mailman stop doing this? If not, I'm open to an exim rule to block or at least rate limit mailman from doing this too.
You can use BAN_LIST on a list by list basis or GLOBAL_BAN_LIST in the config (in MM 2.1.21). My observation about the attack is that they are doing a GET on the subscribe page to retrieve the hidden sub_form_token form field value and then doing a post to do the subscribe. I modified the source for my install of MM to change the hidden field name. I've had no successful or unsuccessful subscribe attempts since. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net. My goal is $6000 but any amount is appreciated. You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me! ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
