Hi,
Earlier this evening I received a Yahoo! spam/abuse report, and I'm glad I did since it let me know there was a problem. I quickly discovered that somebody (or maybe more than one somebody) was using the Mailman subscribe form to request subscription for many Email addresses. According to my outgoing Sendmail logs, many of these addresses were being rejected, unknown user. This of course suggests that these particular malicious actors probably bought/acquired/harvested an out-of-date mailing list. Anyway I wanted to stop this immediately, as sending this type of Email is undesirable in any event. Needing a quick fix, what I did was to rename the subscribe executable in /usr/lib/mailman/cgi-bin to something nonsensical, then write a shell script as /usr/lib/mailman/cgi-bin/subscribe which cats an HTML document explaining that web subscriptions are currently unavailable and why.
I know there's been lots of discussion about the topic of malicious web subscribes in the past. However, with the two lists I run, there's a special situation. Almost all people subscribing to these lists are blind, so a visual CAPTCHA is entirely inappropriate. Are there any other countermeasures I can take?
Thanks, Jayson ------------------------------------------------------ Mailman-Users mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/[email protected]/ https://mail.python.org/archives/list/[email protected]/ Member address: [email protected]
