On Tue, 12 Jan 2016, Mark Sapiro wrote:

On 01/12/2016 08:18 AM, Rosenbaum, Larry M. wrote:
From the "NEWS" file:

    - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET ...


This is only partially effective against this attack.


Thanks for the info.

Typical of me, I kept looking for a workaround after posting and didn't see this straight away. I will look into SUBSCRIBE_FORM_SECRET.

Meanwhile, I found the bot was evading the address block ban by using other hosts, and have tried adding a simple CAPTCHA based on Apache anonymous authentication. If a user tries to access a mailman script from offsite, they get a 401 rejection and a prompt to login with a simple username (which changes every hour)



--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to