Re: [Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

On 12/9/2012 8:14 AM, Ivan Fetch wrote: > > I downloaded the three modified files from this patch, and diffed them > against 2.1.14 files. It looks like this patch will mostly apply to 2.1.14, > but I'm not sure about the differences relating to comparing passwords, and > the use of "strip." Se

Re: [Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

On Nov 24, 2012, at 4:11 PM, Mark Sapiro wrote: > Mark Sapiro wrote at > : > >> I have implemented a simple version of what I think you requested in >> your post at >>

Re: [Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

* Mark Sapiro : > I have augmented that patch with a timestamp and it now also checks that > the hash is no older than mm_cfg.FORM_LIFETIME. See > and > > for a bug report and the patch whi

Re: [Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

Mark Sapiro wrote at : > I have implemented a simple version of what I think you requested in > your post at > . > > It is implemented by the attached

Re: [Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

Ben Cooksley wrote: > >If Mailman were to implement basic CSRF protection for all POST requests >that would also slow the attackers down I suspect (as they would have to >make a GET request first and parse it). I have implemented a simple version of what I think you requested in your post at

Re: [Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

Petersen, Kirsten J - NET wrote: > >Today I realized that all of the lists involved in this attack have their >subscribe_policy set to just "require approval" rather "confirm" or "confirm >and approve". So I think the theory that spammers were just trying to get on >the lists to harvest member