> From: John
> Date: Tue, 16 Jul 2024 19:33:41 +
John wrote:
>
> Hello,
>
> We're running mailman 2.
>
> Quite a few script kiddies and other idiots have figured out that
> they can use our mailman installation to annoy people.
I saw a subscribe flood too on my Mailman2, to sub. all lists on server,
I had assumed it was preparatory to a spam flood later,
but it could have been to annoy a 3rd party innocent.
> They bypass the subscribe page directly, and run cgi-bin/subscribe
> directly - many, many times.
I didnt have time to analyse mine.
> We fixed the problem by removing the appropriate executable permission from
> cgi-bin/subscribe and rewriting the list info page to handle subscriptions
> differently. (We removed the Subscribe fields and button.)
>
> While this works, it's inelegant and a bit convoluted.
>
> Is there another way to prevent this, and leave the default info page intact?
A half baked idea:
Hack the mailman install scripts to rum a random key generator,
& that random key include in generated html pages & cgi install paths
eg cgi-bin/random1234random/subscribe
It would make dumb script attacks a lot more time comsuming,
smart attack scripts would have to become more complex, adapting per host
or list name.
Better would be encrypted keys.
I wonder if MM3 have already solved this.
Sorry I have no time to experiment, I'm in mid move.
Cheers,
--
Julian Stacey. http://berklix.org/jhs/mail/Gmail fails.
http://StolenVotes.UK Arm Ukraine. Contraception V. global warming.
http://nao.org.uk/topics/brexit/ BRoken EXIT: BRitain EXcluded Impacts Trade.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org
