On Thu, Dec 22, 2016 at 4:53 PM, Jim Popovitch <[email protected]> wrote:
> On Tue, Dec 13, 2016 at 12:35 PM, Mark Sapiro <[email protected]> wrote:
>>
>> Steve has answered most of this. I just want to add a couple of things.
>> With respect to web subscribes, several sites including python.org have
>> seen mail bomb attacks via the web subscribe interface.
>>
>> These are subscribes via the web UI by distributed bots that are "smart"
>> enough to GET the form and delay tens of seconds before POSTing it. The
>> most recent attacks have been multiple subscribes to multiple lists of
>> some gmail.com address with various permutations of dots (ignored by
>> gmail) interspersed in the local part. The most recent attack on
>> mail.python.org subscribed addresses that matched
>>
>> '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com
>
> I know the GLOBAL_BAN_LIST is for email addrs, but what would it take
> to implement the same (or some field validation logic) for the
> "fullname" field of the subscription page. I'm still seeing a ton of
> subscribe spam attempts, and the fullname field is consistently not a
> text name.
>
I think i have a better solution, (but I'm not so sure how to do this
in Apache). In Nginx you can use "limit_except PUT { deny all; }"
to deny the spambot GET attempts.
-Jim P.
------------------------------------------------------
Mailman-Users mailing list [email protected]
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
