Aditya Jain writes: > If I block a particular IP address because some disgruntled person > from the organization is trying to brute force, it will block > access for other legitimate users from that organization (because > they have only one IP dedicated to browsing traffic).
This is a social problem that Mailman ultimately can't solve, and probably shouldn't try. > That is why I was looking for something that can look at the > username/email and block request or show captcha if number of > failed attempts cross a certain limit, at application(mailman) > level. > > I think this is sounding more like a feature request. I think this is sounding like a denial-of-service attack on the legitimate users no matter how you try to defend them. My experience with such "disgruntled users" is that they don't hesitate to abuse others' accounts for this purpose. They also are often willing to go to the trouble of acquiring software to automate captcha-breaking. Perhaps a per-user login attempt limit would work for you. Each (ab)user is different. But I don't think it's a good idea for a supported feature of Mailman, it's too fragile and it would be an invitation to an endless series of "improvements" as the admins get in arms races with the rogues. It might be possible to revisit this in Mailman 3 (when we get a unified authn/authz story) using a token-based approach where the token is acquired somewhere that already has a stronger authentication story. But that will require serious coding. ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
