GNU Mailman

Automated processes can swamp a list with web subscription requests.

Bug #1082746 reported by Mark Sapiro on 2012-11-24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	Fix Released	Medium	Mark Sapiro	GNU Mailman 2.1.16rc1

Bug Description

There are discussions of this in threads at <http://mail.python.org/pipermail/mailman-users/2012-October/074213.html>, <http://mail.python.org/pipermail/mailman-users/2012-October/074278.html> and <http://mail.python.org/pipermail/mailman-users/2012-November/074412.html> and a more recent thread at <https://mail.python.org/pipermail/mailman-users/2014-May/076880.html>.

The Mailman developers do not think there is any way to prevent this other that disabling web subscribe entirely, as by definition, subscription requests come from unauthenticated users.

However, an attempt will be made to mitigate this by making a site option to include a dynamically generated hidden hash in the subscribe form which will at least require an automated process to first GET and parse the listinfo form immediately prior to POSTing it.

See original description

Related branches

lp:mailman/2.2

lp:mailman/2.1

Mark Sapiro (msapiro) on 2012-11-24

Changed in mailman:
status:	In Progress → Fix Committed

Mark Sapiro (msapiro) on 2013-07-14

Changed in mailman:
milestone:	2.1.16 → 2.1.16rc1
status:	Fix Committed → Fix Released

Revision history for this message

Charles Peters II (cp) wrote on 2013-09-16:

Would you please allow us to configure this on a per list basis?

Revision history for this message

Mark Sapiro (msapiro) wrote on 2013-09-17:

Can you please explain why you want to configure this per-list.

Revision history for this message

Charles Peters II (cp) wrote on 2013-09-20:

Because only one of our lists is being attacked with bots. This would allow us to not break the subscription forms that are hosted on other sites.

Revision history for this message

Mark Sapiro (msapiro) wrote on 2013-09-20:

I suspect it will only be a matter of time before other lists are attacked too, especially since they have subscribe forms on other sites.

A proper implementation would include modifying the list admin GUI to maintain a list attribute to control this, but I don't intend to do that.

You can patch Mailman/Cgi/listinfo.py at about line 188 and Mailman/Cgi/subscribe.py at about line 125 as follows:

in each of those places, replace the line

if mm_cfg.SUBSCRIBE_FORM_SECRET:

with the 5 lines

    try:
        _switch = mlist.hash_subscribe
    except AttributeError:
        _switch = False
    if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch:

(if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and the 2nd and 4th lines are indented 8 spaces.)

Then you can use bin/config_list with input

mlist.hash_subscribe = True

to set this for a list. Those lists for which mlist.hash_subscribe exists and is True will require the hidden hash in the subscribe form. Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in mm_cfg.py.

Mark Sapiro (msapiro) on 2014-10-02

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.