On Tue, Dec 13, 2016 at 12:35 PM, Mark Sapiro <m...@msapiro.net> wrote: > > Steve has answered most of this. I just want to add a couple of things. > With respect to web subscribes, several sites including python.org have > seen mail bomb attacks via the web subscribe interface. > > These are subscribes via the web UI by distributed bots that are "smart" > enough to GET the form and delay tens of seconds before POSTing it. The > most recent attacks have been multiple subscribes to multiple lists of > some gmail.com address with various permutations of dots (ignored by > gmail) interspersed in the local part. The most recent attack on > mail.python.org subscribed addresses that matched > > '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com
I know the GLOBAL_BAN_LIST is for email addrs, but what would it take to implement the same (or some field validation logic) for the "fullname" field of the subscription page. I'm still seeing a ton of subscribe spam attempts, and the fullname field is consistently not a text name. >From nginx log: ...sa...@apexgolfcarts.com&fullname=58562fbb70e22... ...elle...@hotmail.com&fullname=5856315b5b695... ...scottpickup2...@gmail.com&fullname=5856372a4e2f1... ...vanes...@live.com&fullname=58563aa6664bf... ...mea...@meaganlucyphoto.con&fullname=58563ab925ac7... ...saramardam...@gmail.com&fullname=58564566dc31b... ...dotthomas...@yahoo.com&fullname=5856456df0b96... ...scottpickup2...@gmail.com&fullname=58564b85ccf98... -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
