[gnome.org #14086] spam subscription requests

From: "Andrea Veri via RT" <mailman gnome org>
To: fpeters gnome org
Cc: gnome-infrastructure gnome org
Subject: [gnome.org #14086] spam subscription requests
Date: Thu, 9 Jan 2014 11:41:54 +0000

On Thu Jan 09 08:20:26 2014, fpeters gnome org wrote:

Would it be possible to automatically discard subscription requests
from emails that are already in the queue?


I've been digging a bit about this recently but seems Mailman not including a captcha on the subscription 
form has been the cause of the huge spam we're receiving lately. Subscribing to a mailing list is as easy as 
sending a POST to one of the hosted mailing lists and providing a fake email and password and triggering the 
subscription process. This obviously can be achieved by generating multiple POST requests with a bot that 
generates a fake email and a random password and connects to our mailman installation.

After a first look at the configuration of the release-team mailing list it seems 'subscription_policy' is 
set to be 'Approval' which means you will be triggered by any fraudolent subscription request the list will 
receive. Given the bots won't be able to verify their confirmation email moving the subscription_policy to 
'Confirm and Approve' will fix the problem for the list. I did the change myself now, hopefully Mailman 3 
will bring some more tools to prevent these kind of issues.

-- 
Andrea,
GNOME Sysadmin
GNOME Accounts Team
GNOME Membership & Elections Committee Chairman


----------------------------------------------------
This message was sent via GNOME.org Request Tracker.

Follow-Ups:
- Re: [gnome.org #14086] spam subscription requests
  - From: Frederic Peters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]