Hi all, We at KDE are currently experiencing attacks upon our Mailman installation, attempting to subscribe random email addresses (which more often than not are valid unfortunately). These attacks are conducted essentially through performing mass HTTP POST requests to /subscribe/listname with few proceeding GET requests.
It seems that the attackers are capitalizing on Mailman's lack of CSRF protection. Does anyone know if there are plans to add CSRF protection into Mailman 2? Alternately, is anyone aware of any form of CAPTCHA protection which can be applied to Mailman? It has gotten to the point where we have had to disable web based subscriptions to our mailing lists due to this abuse. Thanks, Ben Cooksley KDE Sysadmin ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
