[gnome.org #14086] spam subscription requests

On Thu Jan 09 08:20:26 2014, fpeters gnome org wrote:

Would it be possible to automatically discard subscription requests
from emails that are already in the queue?

I've been digging a bit about this recently but seems Mailman not including a captcha on the subscription 
form has been the cause of the huge spam we're receiving lately. Subscribing to a mailing list is as easy as 
sending a POST to one of the hosted mailing lists and providing a fake email and password and triggering the 
subscription process. This obviously can be achieved by generating multiple POST requests with a bot that 
generates a fake email and a random password and connects to our mailman installation.

After a first look at the configuration of the release-team mailing list it seems 'subscription_policy' is 
set to be 'Approval' which means you will be triggered by any fraudolent subscription request the list will 
receive. Given the bots won't be able to verify their confirmation email moving the subscription_policy to 
'Confirm and Approve' will fix the problem for the list. I did the change myself now, hopefully Mailman 3 
will bring some more tools to prevent these kind of issues.

GNOME Sysadmin
GNOME Accounts Team
GNOME Membership & Elections Committee Chairman

This message was sent via GNOME.org Request Tracker.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]