* Ben Cooksley <bcooks...@kde.org>: > Hi all, > > We at KDE are currently experiencing attacks upon our Mailman > installation, attempting to subscribe random email addresses (which > more often than not are valid unfortunately). These attacks are > conducted essentially through performing mass HTTP POST requests to > /subscribe/listname with few proceeding GET requests. > > It seems that the attackers are capitalizing on Mailman's lack of CSRF > protection. Does anyone know if there are plans to add CSRF protection > into Mailman 2? > Alternately, is anyone aware of any form of CAPTCHA protection which > can be applied to Mailman? > > It has gotten to the point where we have had to disable web based > subscriptions to our mailing lists due to this abuse.
Interestingly this could be the cause for the recent onslaught of fake subscription attemps at mail.python.org You definitely get a +1 for me on this one :) -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de Campus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
