[Mailman-Users] Malicious web subscription requests
Hi, Earlier this evening I received a Yahoo! spam/abuse report, and I'm glad I did since it let me know there was a problem. I quickly discovered that somebody (or maybe more than one somebody) was using the Mailman subscribe form to request subscription for many Email addresses. According to my outgoing Sendmail logs, many of these addresses were being rejected, unknown user. This of course suggests that these particular malicious actors probably bought/acquired/harvested an out-of-date mailing list. Anyway I wanted to stop this immediately, as sending this type of Email is undesirable in any event. Needing a quick fix, what I did was to rename the subscribe executable in /usr/lib/mailman/cgi-bin to something nonsensical, then write a shell script as /usr/lib/mailman/cgi-bin/subscribe which cats an HTML document explaining that web subscriptions are currently unavailable and why. I know there's been lots of discussion about the topic of malicious web subscribes in the past. However, with the two lists I run, there's a special situation. Almost all people subscribing to these lists are blind, so a visual CAPTCHA is entirely inappropriate. Are there any other countermeasures I can take? Thanks, Jayson -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@mail-archive.com
[Mailman-Users] Re: Malicious web subscription requests
On 6/23/25 19:19, Jayson Smith wrote: I know there's been lots of discussion about the topic of malicious web subscribes in the past. However, with the two lists I run, there's a special situation. Almost all people subscribing to these lists are blind, so a visual CAPTCHA is entirely inappropriate. Are there any other countermeasures I can take? Mailman >= 2.1.30 has the ability to add text based captchas to the subscribe form. If your Mailman 2.1 version is 2.1.30 or later, see the section beginning with the line ``` # Use a custom question-answer CAPTCHA to protect against subscription spam. ``` in Defaults.py. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@mail-archive.com
[Mailman-Users] Re: Malicious web subscription requests
Hi again, Thanks for this information. However, I'm not sure this type of CAPTCHA is very effective any more. The problem is that LLM's can, in my experience, effortlessly answer the types of self-referencing questions that have been quite popular with these types of challenges in the past (What is Virgil's first name? What color is a red dress? If today is Friday, what is tomorrow? Piano, toothbrush, garbage truck—which of these do you put in your mouth?). Knowledge-based questions present some problems as well. Something like "What is the name of this list?" would be easy for any spammer to answer, since they're subscribing to that very list. "Who runs this list?" is problematic if someone genuinely doesn't know. What seems to be getting more popular is proof of work based CAPTCHAs where your computer has to solve some type of mathematical problem which takes a certain amount of time, then prove to the web server that it found the correct solution, or CAPTCHAs based on heuristics that try to determine if someone is more likely to be a real human or a bot. I totally get that Mailman version 2 is end of life at this point, so nothing like this will be implemented, it's just some thoughts. I also don't quite understand the motivation for subscribe form flooding. What does the bad actor gain from sending out tons of subscribe requests to seemingly random people? Or are they just being malicious for no reason than that they can? Thanks, Jayson On 6/23/2025 9:47 PM, Mark Sapiro wrote: On 6/23/25 19:19, Jayson Smith wrote: I know there's been lots of discussion about the topic of malicious web subscribes in the past. However, with the two lists I run, there's a special situation. Almost all people subscribing to these lists are blind, so a visual CAPTCHA is entirely inappropriate. Are there any other countermeasures I can take? Mailman >= 2.1.30 has the ability to add text based captchas to the subscribe form. If your Mailman 2.1 version is 2.1.30 or later, see the section beginning with the line ``` # Use a custom question-answer CAPTCHA to protect against subscription spam. ``` in Defaults.py. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@mail-archive.com
[Mailman-Users] Re: Malicious web subscription requests
Jayson Smith writes: > Thanks for this information. However, I'm not sure this type of > CAPTCHA is very effective any more. All CAPTCHAs are effective to some degree. Whether a "dumb" text captcha would be effective depends on the sophistication of the attacker. I don't know about the subscription flooders. I have recently seen captchas that produce audio. Perhaps services like Recaptcha can do that. > What seems to be getting more popular is proof of > work based CAPTCHAs where your computer has to solve some type of > mathematical problem which takes a certain amount of time, then > prove to the web server that it found the correct solution, or > CAPTCHAs based on heuristics that try to determine if someone is > more likely to be a real human or a bot. Hashcash is rude to your legit users, and wasteful if Team Malice is not attacking. The heuristic approach is also annoying to real users because it does make mistakes and they typically persist. If they work you can use them, of course, > I also don't quite understand the motivation for subscribe form > flooding. What does the bad actor gain from sending out tons of > subscribe requests to seemingly random people? I don't think we know. -- GNU Mailman consultant (installation, migration, customization) Sirius Open Sourcehttps://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@jab.org
