On Tue, 12 Jan 2016, Mark Sapiro wrote:
On 01/12/2016 08:18 AM, Rosenbaum, Larry M. wrote:
From the "NEWS" file:
- There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET ...
This is only partially effective against this attack.
Thanks for the info.
Typical of me, I kept looking for a workaround after posting and didn't
see this straight away. I will look into SUBSCRIBE_FORM_SECRET.
Meanwhile, I found the bot was evading the address block ban by using
other hosts, and have tried adding a simple CAPTCHA based on Apache anonymous
authentication. If a user tries to access a mailman script from offsite,
they get a 401 rejection and a prompt to login with a simple username
(which changes every hour)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org