On 12/12/2016 03:07 PM, Edward Hasbrouck wrote: > > How can I stop this? I am willing to give up "subscribe to this list by > e-mail", and require all subscriptions to be via the Web.
Steve has answered most of this. I just want to add a couple of things. With respect to web subscribes, several sites including python.org have seen mail bomb attacks via the web subscribe interface. These are subscribes via the web UI by distributed bots that are "smart" enough to GET the form and delay tens of seconds before POSTing it. The most recent attacks have been multiple subscribes to multiple lists of some gmail.com address with various permutations of dots (ignored by gmail) interspersed in the local part. The most recent attack on mail.python.org subscribed addresses that matched '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com During the first 17 hours (before I noticed it in the daily status report) there were 7896 pending subscribes waiting user confirmation and 417 held subscriptions waiting moderator approval (There is a script at <https://www.msapiro.net/scripts/erase> to remove these). At that point I added the above pattern to the GLOBAL_BAN_LIST (recently implemented because of attacks like this). During the next 30+ hours until the attacks stopped there were 4631 banned subscription attempts. The banned attempts and held subscriptions don't send emails, but there were still almost 8000 email confirmation requests sent to the gmail address. The bottom line here is that web subscribes are also vulnerable to exploitation. > I would still prefer to have e-mail confirmation of new subscriptions, but > I don't think that would cause as much of a backscatter problem: The > "-request" address can be harvested form the public Web, but the > "-confirm" address would be much less likely to do so. > > But if it is simpler to implement, it would be OK to require new > subscriptions to be confirmed through the Web interface. The whole point of confirmation is to verify that the entity generating the subscribe request can actually receive and comprehend an email message sent to that address, i.e. is the actual user whose address that is. I don't see how that can be done without sending an email to the address. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
