It is possible to mailbomb a third party by repeatedly posting the subscribe form.

Bug #1859104 reported by Mark Sapiro on 2020-01-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Medium
Mark Sapiro

Bug Description

This can be prevented by refusing to pend a subscription when one is already pending, but that means if a subscriber loses or doesn't receive the confirmation request email, she has to wait PENDING_REQUEST_LIFE (default 3 days) before she can request another.

It can also be avoided by setting the list's subscribe_policy to Moderate, but that may not be desirable in many cases.

Because of these considerations, I will implement the refusal to pend a subscription when one is already pending, but make that depend on a new REFUSE_SECOND_PENDING mm_cfg.py setting.

Related branches

Mark Sapiro (msapiro) on 2020-01-10
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro) on 2020-01-12
Changed in mailman:
status: Fix Committed → Fix Released
assignee: nobody → Mark Sapiro (msapiro)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers