On 05/15/2015 06:51 PM, Bill Christensen wrote: > > On 5/15/15 12:21 AM, Mark Sapiro wrote: >> Privacy options... -> Subscription rules -> subscribe_policy st to >> Require approval and then discard all requests. > when you say "discard all requests", is there a way to do that > automatically? Without email notices to the owner address?
Not really. If you set General Options -> admin_immed_notify to No, there will be only one summary notice per day, and not the one per request and you could modify Mailman's crontab to not run checkdbs or run it less frequently than daily, but the requests will still be there. There is no automatic discard, but it wouldn't be hard to create a script that discards all outstanding subscription requests for a list (or all lists) and run it daily just before checkdbs runs so checkdbs would have nothing to report. In fact, if you wanted to be really crude and ignore all requests for a list you could just remove the lists/listname/request.pck file. This would effectively discard all requests. You have to be carful because you don't want to do this if there are held messages because then the message files would be orphaned, but something like (adjust list, prefix and var_prefix to suit #! /bin/sh list=LISTNAME prefix=/usr/lib/mailman var_prefix=/var/lib/mailman ls $var_prefix/data/heldmsg-$list-* | xargs $prefix/bin/discard rm $var_prefix/lists/$list/request.pck would discard all held messages and then discard the remaining subscribe (and unsubscribe if unsubscribe_policy is Yes) requests. You could add this to the crontab to run just before checkdbs, or add $prefix/cron/checkdbs to the end of it and run it instead of checkdbs. That all assumes you might have other lists you want to treat normally. There are other things you can do as well, but, looking at your original post, I see I didn't fully register the situation. If your Mailman is at least 2.1.16, all you need to do is set SUBSCRIBE_FORM_SECRET = 'Some string unique to your site" in mm_cfg.py, and that attack will no longer work. Doing that requires that for the subscribe to be successful, the URL must contain a token which was generated by the listinfo subscribe form at least 5 seconds and no more than an hour before submission. The token contains a hash of the secret, the requesting IP, the list name and the time which means if a bot is going to subscribe, it has to first retrieve the listinfo page to get the token and then wait 5 seconds (which can be configured to be longer by setting SUBSCRIBE_FORM_MIN_TIME in mm_cfg.py) and then submit the request with the token. I don't think the bots have figured it out yet. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
