On 6/13/18 6:52 PM, Bob Friesenhahn wrote:
> On Wed, 13 Jun 2018, Jeffrey Schiller wrote:
>> Would limiting subscription requests to one per day help. I'm
>> familiar with
>> the Mailman code, having modified it for use at MIT, and can code the
>> necessary changes. I suspect only one file would need to be changed.
> The problem is knowing what "one" means. The subscription request is
> likely submitted via http/https into the web form and using a bogus
> email subscription address (of the "victim"). A botnet is able to
> submit these requests from hundreds of IP addresses.
> If mailman supports subscription requests via SMTP email (I don't
> remember that it does), then the problem is worse.
> If only one new subscription is allowed on the list per day, then
> there is a trivial DOS (no new valid subscriptions are possible) as
> soon as the one daily subscription has been consumed.
Mailman does allow for email subscriptions, which has the same risks of
Where One Subscription limits could help is that it should be possible
for Mailman to allow there to be only one pending subscription for a
given email address (and these by default expire after 3 days), so if
the botnet is spamming the subscription address, the victim gets just
one email every 3 days.
It should also be possible to log these IP addresses and excessive
requests could trigger fail2ban to block that IP address for a while.
sqlite-users mailing list