On Wed, Aug 12, 2015 at 8:36 PM, Phill Twiss <ph...@daa.com.au> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > De-lurking > > Hi Rafael and everyone else :}( sorry the cross-post ) > > You should really have captcha's configured for your mailman lists > > Some shady actors out there are using mailman lists to target certain > email addresses. Its a pretty dumb attack, but its annoying :} > > The target will be hit by hundreds ( if not thousands ) of subscribe > confirmation requests. > > We changed to captcha's a month or more ago, we still get an average > of 300 od IP's trying to do this in period of a few hours. > > Keep an eye out in your logfiles for some of the strings below ( they > all seem to try to use the same password ), if you have any issues > with getting captcha's to work properly, drop me an email :} > > Below is an sanitised ( list name and target) entry from the Apache > logs ( the IP is real, screw em :} ) > > 64.234.104.150 - - [13/Aug/2015:08:15:54 +0800] "GET > /mailman/subscribe/<<Sanitised list name >>?email=<< Sanitised_TARGET >>> @YAHOO.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&diges > t=0&email-button=Subscribe > HTTP/1.1" >>> > 301 801 "http://tools.vietche.biz/Boom/" "Mozilla/5.0 > (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
That's a very old (in Internet Years) Mailman problem that was solved with session cookies in v2.1.16 (16-Oct-2013). If you're still paranoid, and don't want to piss your users off with privacy leaking captcha, then just set up some referer checking in your apache or nginx configs: Apache: # Prevent subscription request spam SetEnvIf Referer lists\.example\.com localreferer <Location /mailman/subscribe> Order deny,allow Deny from all Allow from env=localreferer </Location> Nginx: location /mailman/subscribe { valid_referers server_names; if ($invalid_referer) { return 403; } } -Jim P.