On 07/22/2013 01:54 PM, Will Yardley wrote: > On Mon, Jul 22, 2013 at 09:31:03PM +0200, Ralf Hildebrandt wrote: >> >> Which version of mailman is that? > > 2.1.9. And yes, I'm aware that we need to upgrade, it's in progress, but > isn't possible immediately for complicated reasons. So, that's one > reason I'm writing in, just to make sure this isn't an attempt to > exploit a hole that's actually exploitable in this version.
There is a new feature in 2.1.16 (The second release candidate is available final due in September) - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put a dynamically generated, hidden hash in the listinfo subscribe form and check it upon submission. Setting this will prevent automated processes (bots) from successfully POSTing web subscribes without first retrieving and parsing the form from the listinfo page. The form must also be submitted no later than FORM_LIFETIME nor no earlier than SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will break any static subscribe forms on your site. See the description in Defaults.py for more info. (LP: #1082746) If my 'legitimate web crawler' theory is correct, this feature won't help. > On Mon, Jul 22, 2013 at 01:16:29PM -0700, Mark Sapiro wrote: >> >> In your case, the web crawlers are just blindly submitting the >> subscribe form from the listinfo page, and disallowing your listinfo >> pages in a robots.txt will likely stop it. > > Why do the requests have actual email addresses and a bogus password / > token in the request string, though? The IP doesn't have any RDNS, but > is allocated to MSN, but I'd think a legitimate crawler would be more > easily identifiable as such, and would only be following actual links. > In this case we're getting repeated attempts to subscribe various > addresses. Also, they're only hitting this list (which isn't even set to > 'public'), out of all 2000 or so of our Mailman lists. Is the email address always the same? I can't explain how web crawlers work or why they do what they do, but I'm not discounting them. What's in your web server logs for the identity of the agent that submitted these requests? If you do a bing search for this listinfo page, do you get any hits? -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org