Ben Cooksley writes: > If Mailman were to implement basic CSRF protection for all POST requests > that would also slow the attackers down I suspect (as they would have to > make a GET request first and parse it).
It might slow a human down, but as soon as it becomes a feature of Mailman, the attackers will implement the necessary countermeasure (if it isn't already implemented because they use libcurl or so in their program!) Bandwidth? CPU? These guys have no such constraints. > One thing I do know is that at least for us the attacks all > appeared to be coming from Tor endpoints or open web proxies. Big surprise. Not to mention demonstrating that CSRF protection won't help, because you're dealing with real players, not junior high school students from a fishing village in western Japan. The problem here is that you cannot authenticate users you don't already know. So CSRF just adds a "get a free token" step to the automated process. I'm sure all the major libraries already implement this, so unless the attackers are remarkably stupid, undoubtedly the needed code is immediately to hand. One partial solution would be to allow OpenID logins to the website to use it to register subscriptions. Of course you probably can't trust Google or Yahoo accounts. ;-) ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
