At Fri, 09 May 2014 12:46:42 -0500 Bill Christensen <billc_li...@greenbuilder.com> wrote:
> > On 5/8/14 12:02 PM, Mark Sapiro wrote: > > On 05/08/2014 09:31 AM, Bill Christensen wrote: > >> Question 1: Is it possible to reverse the order of approval and > >> confirmation when requiring both? The admin then can reject all those > >> with duplicates, only allowing the (presumably real) single subscription > >> requests to send out a confirmation request. > > > > It would require significant code changes. > > > > > >> If so, how would that be done? > >> > >> Question 2: Any other suggestions on how to handle this? > >> > >> Currently running mailman 2.1.13_0 (Next stop is to MacPorts list to see > >> if the maintainer will update the port to the latest version) > > > > There are mitigations which may help in Mailman 2.1.16. See > > <https://bugs.launchpad.net/mailman/+bug/1082746>. > > > Ok, great. > > I temporarily removed the signup form from the listinfo page in hopes of > stemming the tide, and replaced it with a request to use the site's > contact form so that we can manually add interested subscribers. I > purposely don't have a subscribe email address set up for this list. > But somehow they're still coming in - another 1300+ since yesterday. > > What other holes can I plug? If you can determine the originating IP address (hint: look in Apache's access_log), you can edit the mailman.conf file in /etc/http/conf.d and add in a <limit> container with 'DENY *ip address*' lines -- the ip address given to DENY can be a CIDR expression (w.x.y.z/n), allowing you to block whole subnets (often the spammers just jump from machine to machine when one IP address is blocked or sometimes just have a cluster of machines pounding on the 'victim'). Also, it might make sense to install fail2ban and set up a filter for these requests and have fail2ban firewall the offensive IP addresses. These spammers are not actually using the signup form -- removing the form has no meaningful effect, once someone has gonked the CGI parameters and action URL and since Mailman is open source, the CGI parameters and action URL are published info and they just need to plug in your hostname and the list name -- there is probably a program out there that takes these two parameters and then 'randomly' generates *lots* subscription requests as a form of DDoS attack. You *could* remove Execute bit from the CGI script / program that handles that action. This will result in a 500 error from Apache and effectively kills any possibility for anyone to sign up for any list served by your server. Yes, extreme, but effective. Still, the best option is to firewall the spammers, either with an Apache DENY statement or using fail2ban. > > Thanks. > ------------------------------------------------------ > Mailman-Users mailing list Mailman-Users@python.org > https://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ > Unsubscribe: > https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com > > > -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
