[Post by list member from an unsubscribed address] On Nov 18, 2012 4:07 AM, "Petersen, Kirsten J - NET" < kirsten.peter...@oregonstate.edu> wrote: > > Gary, et al: > > The Mailman lists at Oregon State University have been receiving excessive request for subscriptions since mid-October as well. Our list administrators were suspicious because often the names on the requests did not match the email addresses. Also, many lists that had been defunct for years were receiving requests, too. > > I spent some time trying to figure out what the lists that were being hit had in common. Not all of the lists receiving requests were advertised on the listinfo page. Today I realized that all of the lists involved in this attack have their subscribe_policy set to just "require approval" rather "confirm" or "confirm and approve". So I think the theory that spammers were just trying to get on the lists to harvest member addresses is probably correct. > > My folks are beating down my door for a solution, too, and I can't think of a good one. We host lists for the international community, so any measure I take that makes it harder for external people to subscribe will negatively impact intended use. I am going to advise my list admins to enable confirmation, which should discourage these attempts. It also occurred to me that I could write a script to monitor the vette log and purge requests that look suspicious - mainly based on the same email address attempting to subscribe to multiple unrelated lists at the same time.
At KDE we took the semi drastic measure of allowing the commencement of mailing list subscription by email only as the attackers use HTTP POST to perform their attacks. If Mailman were to implement basic CSRF protection for all POST requests that would also slow the attackers down I suspect (as they would have to make a GET request first and parse it). One thing I do know is that at least for us the attacks all appeared to be coming from Tor endpoints or open web proxies. Regards, Ben [Quoted footers removed by moderator] ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org