[Mailman-Users] Re: Subscription Attacks

Sat, 28 Jun 2025 14:36:30 -0700 

At 12:38 PM 6/28/2025, Mark Sapiro wrote:

On 6/28/25 09:46, David Andrews via Mailman-Users wrote:
There is stuff about the "secret form?" would this work? If I understand it, the IP must match. Then there is stuff about the life of the form? Do both conditions have to be true.? Many of our users do not return a form quickly, they are not that good with their assistive technology! The writing suggests five seconds, that would never work for us. 


In mm_cfg.py, set

SUBSCRIBE_FORM_SECRET = 'some phrase'


where some phrase is anything you want that 
isn't obvious. This places a hidden token in the 
subscribe form which is a hash of the phrase, 
the current time and the IP that requested the 
form which has to validate when the form is submitted.


Then set

SUBSCRIBE_FORM_MIN_TIME = seconds(number)


where is number is a number of seconds. You 
misunderstand this. It doesn't say the form has 
to be submitted within that time. It says the 
form can't be submitted within that time. I.e., 
you have to wait at least that long before submitting the form.



This is not perfect, but the intent is to 
require first getting the form and then delaying 
a bit to fill it out before submitting it to 
prevent bots from submitting a canned form or 
getting the form and replying immediately.


This may help.



Thanks!!!

Dave




--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


------------------------------------------------------ 
Mailman-Users mailing list -- 
mailman-users@python.org To unsubscribe send an 
email to mailman-users-le...@python.org 
https://mail.python.org/mailman3/lists/mailman-users.python.org/ 
Mailman FAQ: http://wiki.list.org/x/AgA3 
Security Policy: http://wiki.list.org/x/QIA9 
Searchable Archives: 
https://www.mail-archive.com/mailman-users@python.org/ 
https://mail.python.org/archives/list/mailman-users@python.org/ 
Member address: dandrews...@comcast.net </x-flowed>


------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@mail-archive.com






















					Reply via email to