| 2014-10-02 02:22:12 |
Mark Sapiro |
description |
There are discussions of this in threads at <http://mail.python.org/pipermail/mailman-users/2012-October/074213.html>, <http://mail.python.org/pipermail/mailman-users/2012-October/074278.html> and <http://mail.python.org/pipermail/mailman-users/2012-November/074412.html>.
The Mailman developers do not think there is any way to prevent this other that disabling web subscribe entirely, as by definition, subscription requests come from unauthenticated users.
However, an attempt will be made to mitigate this by making a site option to include a dynamically generated hidden hash in the subscribe form which will at least require an automated process to first GET and parse the listinfo form immediately prior to POSTing it. |
There are discussions of this in threads at <http://mail.python.org/pipermail/mailman-users/2012-October/074213.html>, <http://mail.python.org/pipermail/mailman-users/2012-October/074278.html> and <http://mail.python.org/pipermail/mailman-users/2012-November/074412.html> and a more recent thread at <https://mail.python.org/pipermail/mailman-users/2014-May/076880.html>.
The Mailman developers do not think there is any way to prevent this other that disabling web subscribe entirely, as by definition, subscription requests come from unauthenticated users.
However, an attempt will be made to mitigate this by making a site option to include a dynamically generated hidden hash in the subscribe form which will at least require an automated process to first GET and parse the listinfo form immediately prior to POSTing it. |
|
