On Sat, Jan 4, 2025 at 5:30 AM David Newman <dnew...@networktest.com> wrote:
> > > On 1/3/25 5:44 PM, Mark Sapiro wrote: > > >> Greetings. On a system running Mailman 3.3.9 and Postfix, I'm seeing > >> about 20-30 entries per day in the Postfix queue where it appears a > >> Gmail user signs up for a mailing list that requires confirmation, and > >> Gmail responds that the user is too busy to handle requests. > >> > >> There are no publicly advertised email lists on this server, and I > >> don't ever see anything in the Mailman logs indicating the user ever > >> tried signing up. > > > > > > This is an attack mail bombing the user. The requests that result in the > > can come via web or email. Mailman's logging of subscribes has been > > missing most events through Mailman 3.3.10. See https://gitlab.com/ > > mailman/mailman/-/issues/1143 which will be fixed in 3.3.11, but > > subscribes waiting user confirmation still won't be logged. > > > > However, the message with subject "Please Confirm Your Email Address" > > comes from Django allauth so it isn't actually Mailman sending it but > > rather Django allauth as a result of a request to sign up for a Django > > account at https://mail.example3.com/accounts/signup/. You can probably > > find that request in your web server logs, and you may find the user > > and/or email in the Django admin UI. > > Thanks VERY much for this. > > No such users in the Django UI, but the web server logs have 252 > attempts from 132 unique IPv4 addresses registered to different ISPs > throughout Europe. > > So, even though Mailman support for more detailed logging of sub and > unsub requests would be useful, it likely would not have helped with > attacks from many source IP addresses. > > > > > Since django-mailman3 1.3.6, you can disable these signups by putting > > > > ACCOUNT_ADAPTER = > 'django_mailman3.views.user_adapter.DisableSignupAdapter' > > > > in your Django settings, but then your users won't be able to sign up > > for web accounts. > > I have made this change. As for not having web accounts, this just means > new users cannot sign up to manage their Mailman settings, correct? I > presume existing web accounts will continue to work. > You could also try this: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/BVDALGKYI3SUXBEMZMCBLHDMAFRNI7FI/ It really helped in many cases, although with the change you already made, it becomes a useless effort. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html] _______________________________________________ Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-le...@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/7SFXGTIMBXJEC5OOWBSTOQEZSNUI4RLX/ This message sent to arch...@mail-archive.com
