Automated processes can swamp a list with web subscription requests.

Bug #1082746 reported by Mark Sapiro
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Medium
Mark Sapiro

Bug Description

There are discussions of this in threads at <http://mail.python.org/pipermail/mailman-users/2012-October/074213.html>, <http://mail.python.org/pipermail/mailman-users/2012-October/074278.html> and <http://mail.python.org/pipermail/mailman-users/2012-November/074412.html> and a more recent thread at <https://mail.python.org/pipermail/mailman-users/2014-May/076880.html>.

The Mailman developers do not think there is any way to prevent this other that disabling web subscribe entirely, as by definition, subscription requests come from unauthenticated users.

However, an attempt will be made to mitigate this by making a site option to include a dynamically generated hidden hash in the subscribe form which will at least require an automated process to first GET and parse the listinfo form immediately prior to POSTing it.

Related branches

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
milestone: 2.1.16 → 2.1.16rc1
status: Fix Committed → Fix Released
Revision history for this message
Charles Peters II (cp) wrote :

Would you please allow us to configure this on a per list basis?

Revision history for this message
Mark Sapiro (msapiro) wrote :

Can you please explain why you want to configure this per-list.

Revision history for this message
Charles Peters II (cp) wrote :

Because only one of our lists is being attacked with bots. This would allow us to not break the subscription forms that are hosted on other sites.

Revision history for this message
Mark Sapiro (msapiro) wrote :

I suspect it will only be a matter of time before other lists are attacked too, especially since they have subscribe forms on other sites.

A proper implementation would include modifying the list admin GUI to maintain a list attribute to control this, but I don't intend to do that.

You can patch Mailman/Cgi/listinfo.py at about line 188 and Mailman/Cgi/subscribe.py at about line 125 as follows:

in each of those places, replace the line

    if mm_cfg.SUBSCRIBE_FORM_SECRET:

with the 5 lines

    try:
        _switch = mlist.hash_subscribe
    except AttributeError:
        _switch = False
    if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch:

(if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and the 2nd and 4th lines are indented 8 spaces.)

Then you can use bin/config_list with input

mlist.hash_subscribe = True

to set this for a list. Those lists for which mlist.hash_subscribe exists and is True will require the hidden hash in the subscribe form. Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in mm_cfg.py.

Mark Sapiro (msapiro)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers