On Thu, Dec 22, 2016 at 6:26 PM, Mark Sapiro <m...@msapiro.net> wrote: > On 12/22/2016 03:01 PM, Jim Popovitch wrote: >> >> I think i have a better solution, (but I'm not so sure how to do this >> in Apache). In Nginx you can use "limit_except PUT { deny all; }" >> to deny the spambot GET attempts. > > in apache 2.4 you would do > > <LimitExcept PUT> > Require all denied > </LimitExcept> > Require all granted > > but how does this help? No one, including bots GETs the subscribe CGI, > and subscription is via POST, not PUT.
Indeed, POST, not PUT. I have POST in my config, but the docs that I saw (which I copied to here) used PUT. > The scenario is the same for bots and humans. GET the listinfo CGI with > the hidden token and then POST the form to the subscribe CGI. I don't > see how you can block one without blocking the other. I'm seeing GET attempts like this: 77.247.181.165 - - [22/Dec/2016:23:30:10 +0000] "GET /subscribe/users?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&&sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en& HTTP/1.1" 404 162 "http://netcoolusers.org/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" Although those are failing because they are hitting /subscribe, but if they ever tweak the bots it could get ugly fast without some mitigation. -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org