GNU Mailman

Limit number of subscribe requests in a period

Bug #266323 reported by Eric-black
2
Affects Status Importance Assigned to Milestone
GNU Mailman
New
Medium
Unassigned

Bug Description

Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address.
Defaults would be 1 request in 1 day.

This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address. Currently the victim gets the verify.txt
template email for each submission.

[http://sourceforge.net/tracker/index.php?func=detail&aid=1448537&group_id=103&atid=100103]

Revision history for this message
Eric-black (eric-black) wrote :

BTW, I've been running 2.1.5 with this problem, and 2.1.7
still exhibits the vulnerability.

Revision history for this message
Tokio Kikuchi (tkikuchi) wrote :

You can suppress sending confirmation by putting the
victim's email address in ban_list from the admin page
(privacy section), if she/he is not willing to be added in
your list. This may not work if the malicious user forges
the 'From:' header. In this case, the victim may well
introduce some mail filter to get junk mails discarded
before they reach her/his eyes.

Revision history for this message
Eric-black (eric-black) wrote :

Thanks for the suggestion. That helps if a user complains, but does not
help
in this scenario:

A malicious evil-doer discovers a spamtrap email address used by any of
the
many RBLs, and repeatedly submits that address in a subscribe request,
either by forging email (trivial to do) or by repeatedly submitting the
HTML
form (also trivial to do). The spamtrap receives multiple confirmation
requests.

The first confirmation request should be ignored, because typos happen.

Subsequent confirmation requests may well be considered to be spam.
Especially if there are 5 a day, let alone 100 in the space of an hour.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.