> From:         John <j_p_waterho...@hotmail.com>
> Date:         Tue, 16 Jul 2024 19:33:41 +0000

John wrote:
> 
> Hello,
>
> We're running mailman 2.
>
> Quite a few script kiddies and other idiots have figured out that
> they can use our mailman installation to annoy people.

I saw a subscribe flood too on my Mailman2, to sub. all lists on server,
I had assumed it was preparatory to a spam flood later,
but it could have been to annoy a 3rd party innocent.


> They bypass the subscribe page directly, and run cgi-bin/subscribe
> directly - many, many times.

I didnt have time to analyse mine.


> We fixed the problem by removing the appropriate executable permission from 
> cgi-bin/subscribe and rewriting the list info page to handle subscriptions 
> differently. (We removed the Subscribe fields and button.)
>
> While this works, it's inelegant and a bit convoluted.
>
> Is there another way to prevent this, and leave the default info page intact?

A half baked idea:
  Hack the mailman install scripts to rum a random key generator,
  & that random key include in generated html pages & cgi install paths
  eg cgi-bin/random1234random/subscribe 
  It would make dumb script attacks a lot more time comsuming,
  smart attack scripts would have to become more complex, adapting per host
  or list name.

Better would be encrypted keys.

I wonder if MM3 have already solved this.

Sorry I have no time to experiment, I'm in mid move.

Cheers,
-- 
Julian Stacey.          http://berklix.org/jhs/mail/    Gmail fails.
http://StolenVotes.UK   Arm Ukraine.   Contraception V. global warming.
http://nao.org.uk/topics/brexit/ BRoken EXIT: BRitain EXcluded Impacts Trade.
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

Reply via email to