> From: John <j_p_waterho...@hotmail.com> > Date: Tue, 16 Jul 2024 19:33:41 +0000
John wrote: > > Hello, > > We're running mailman 2. > > Quite a few script kiddies and other idiots have figured out that > they can use our mailman installation to annoy people. I saw a subscribe flood too on my Mailman2, to sub. all lists on server, I had assumed it was preparatory to a spam flood later, but it could have been to annoy a 3rd party innocent. > They bypass the subscribe page directly, and run cgi-bin/subscribe > directly - many, many times. I didnt have time to analyse mine. > We fixed the problem by removing the appropriate executable permission from > cgi-bin/subscribe and rewriting the list info page to handle subscriptions > differently. (We removed the Subscribe fields and button.) > > While this works, it's inelegant and a bit convoluted. > > Is there another way to prevent this, and leave the default info page intact? A half baked idea: Hack the mailman install scripts to rum a random key generator, & that random key include in generated html pages & cgi install paths eg cgi-bin/random1234random/subscribe It would make dumb script attacks a lot more time comsuming, smart attack scripts would have to become more complex, adapting per host or list name. Better would be encrypted keys. I wonder if MM3 have already solved this. Sorry I have no time to experiment, I'm in mid move. Cheers, -- Julian Stacey. http://berklix.org/jhs/mail/ Gmail fails. http://StolenVotes.UK Arm Ukraine. Contraception V. global warming. http://nao.org.uk/topics/brexit/ BRoken EXIT: BRitain EXcluded Impacts Trade. ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@jab.org
