Re: [Mailman-Users] Handling bogus subscribe requests

On 01/17/2016 05:50 PM, Perry E. Metzger wrote: > On Sun, 17 Jan 2016 09:34:35 -0800 Mark Sapiro > wrote: >> >> I would look at it, but it's not likely I will include it. Keep in >> mind that MM 2.1 is end of life. By the time such code would be >> released, MM 3.1 with a

Re: [Mailman-Users] Handling bogus subscribe requests

On Sun, 17 Jan 2016 09:34:35 -0800 Mark Sapiro wrote: > On 01/17/2016 06:34 AM, Perry E. Metzger wrote: > > > > Mostly it just requires registration. Doing a custom template is > > probably fine for someone like me who is able to deal with the > > technical steps involved but

Re: [Mailman-Users] Handling bogus subscribe requests

On Sat, 16 Jan 2016 18:27:00 -0800 Mark Sapiro wrote: > > Would it be hard to add optional recaptcha support for the pages > > with forms in a future release? That would probably prevent most > > such games and it doesn't seem so bad. > > I hate them. I'd really have to be

Re: [Mailman-Users] Handling bogus subscribe requests

Hi, Just my $0.02 worth, but as a blind person, were I going to implement a CAPTCHA, I would probably write some sort of simple math problem system or something. Besides the benefit of not needing registration, this CAPTCHA can be solved by anybody who can solve simple problems. ReCaptcha

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/17/2016 06:34 AM, Perry E. Metzger wrote: > > Mostly it just requires registration. Doing a custom template is > probably fine for someone like me who is able to deal with the > technical steps involved but it might be too much of a burden for > many users. If such code was contributed

Re: [Mailman-Users] Handling bogus subscribe requests

On Thu, 14 Jan 2016 08:55:21 -0600 "Gibbs, David" wrote: > On 1/12/2016 11:54 AM, Mark Sapiro wrote: > > > There are threads on this in the archives of this list. See > > threads containing the posts > >

Re: [Mailman-Users] Handling bogus subscribe requests

On Sat, 16 Jan 2016 19:02:58 -0500 "Perry E. Metzger" wrote: > On Thu, 14 Jan 2016 08:55:21 -0600 "Gibbs, David" > wrote: > > On 1/12/2016 11:54 AM, Mark Sapiro wrote: > > > > > There are threads on this in the archives of this list. See > > > threads

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/16/2016 04:02 PM, Perry E. Metzger wrote: > > I have direct evidence that the asshats are now using "+" strings > after the main address that are not strictly numeric. They seem to > have responded to the simple ways of stopping them. I haven't seen any like that yet. The regexp I use is

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/16/2016 04:51 PM, Perry E. Metzger wrote: > > Oh, and by the way, the documentation for SUBSCRIBE_FORM_SECRET (such > as it is) does not mention that it needs to be set to a string. I > only figured that out when setting it to True and 1 both failed > spectacularly and reading the

Re: [Mailman-Users] Handling bogus subscribe requests

On Sat, 16 Jan 2016 16:52:29 -0800 Mark Sapiro wrote: > On 01/16/2016 04:02 PM, Perry E. Metzger wrote: > > > > I have direct evidence that the asshats are now using "+" strings > > after the main address that are not strictly numeric. They seem to > > have responded to the

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/16/2016 04:52 PM, Mark Sapiro wrote: > > Based on the one above getting through, I wrote the script at > (mirrored at > ) to 'erase' an address from > all lists. Note, this script uses the Python argparse

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/16/2016 05:13 PM, Perry E. Metzger wrote: > On Sat, 16 Jan 2016 16:52:29 -0800 Mark Sapiro > wrote: >> >> Please provide some examples. If there is any discernable pattern, >> it might be blockable without impacting real subscribers. > > I don't have a lot of examples

Re: [Mailman-Users] Handling bogus subscribe requests

On 1/12/2016 11:54 AM, Mark Sapiro wrote: > There are threads on this in the archives of this list. See threads > containing the posts > I can confirm that the technique used in this post work great. david -- IBM i

Re: [Mailman-Users] Handling bogus subscribe requests

On Tue, 12 Jan 2016, Mark Sapiro wrote: On 01/12/2016 08:18 AM, Rosenbaum, Larry M. wrote: From the "NEWS" file: - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET ... This is only partially effective against this attack. Thanks for the info. Typical of me, I kept looking

[Mailman-Users] Handling bogus subscribe requests

In the last few days we've seen several thousand bogus subscription requests for various lists we host, send through the web interface. They seem to mostly originate in China. We see log entries such as /var/log/mailman/subscribe Jan 11 20:50:30 2016 (27666) grsi-users: pending

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/12/2016 01:18 AM, Andrew Daviel wrote: > > In the last few days we've seen several thousand bogus subscription > requests for various lists we host, send through the web interface. They > seem to mostly originate in China. > > We see log entries such as /var/log/mailman/subscribe > Jan 11

Re: [Mailman-Users] Handling bogus subscribe requests

On 01/12/2016 08:18 AM, Rosenbaum, Larry M. wrote: >>From the "NEWS" file: > > - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET ... This is only partially effective against this attack. On the @python.org lists we see this attack come and go and even with SUBSCRIBE_FORM_MIN_TIME =

Re: [Mailman-Users] Handling bogus subscribe requests

To: mailman-users@python.org > Subject: [Mailman-Users] Handling bogus subscribe requests > > > In the last few days we've seen several thousand bogus subscription > requests for various lists we host, send through the web interface. They > seem to mostly originate in China. &g