+++ /dev/null
----
-title: "Fighting Mailman Subscription Spam: The Easy Way"
-categories: sysadmin
----
-
-I recently noticed that both of the Mailman setups that I am running are being
-abused for *subscription spam*: Bots would automatically attempt to subscribe
-foreign email addresses to public mailing lists, resulting in a subscription
-notification being sent to that address. I am still extremely saddened by the
-fact that this is a thing---whoever sends this spam has no direct benefit and no
-way of selling anything (they don't control the content of the message); the
-only effect is to annoy the owner of that email address, the victim. That seems
-to be enough for some. :(
-
-Oh, and my servers' reputation goes down because people mark these emails as
-spam. So, more than enough reasons to try and stop this.
-
-<!-- MORE -->
-
-### The Big Guns
-
-My first reaction was to go and look for a way to add a CAPTCHA to the
-subscription page. Unfortunately, Mailman itself does not support a CAPTCHA (at
-least not Mailman 2), and the existing patches I found were all about adding
-support for Google's reCAPTCHA. I am not going to expose my users to Google's
-tracking like that, nor am I willing to actively discriminate against people not
-having Google accounts (reCAPTCHA is much more annoying if Google can't track
-you because you are not logged in), so reCAPTCHA was clearly not an option.
-Instead, the plan was to look at one of these patches and implement a simple
-question-and-answer CAPTCHA myself.
-
-### Keep It Simple
-
-But then, while just getting started on this and browsing the Mailman sources, I
-found out about `SUBSCRIBE_FORM_SECRET`. `SUBSCRIBE_FORM_SECRET` is a Mailman
-config option that, once set to a random string, will make Mailman embed a
-[CSRF token](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
-into the subscription form. Mailman will also enforce that the form must be
-submitted *at least* five seconds after it was generated. Since the bots that
-have found my servers so far are much less patient than that, just setting
-`SUBSCRIBE_FORM_SECRET` was enough to completely get rid of the subscription
-spam.
-
-So, if you are reading this and running a Mailman installation: **Please set
-`SUBSCRIBE_FORM_SECRET` and protect your setup against abuse!** Just run `pwgen
-16` to get some random string, and then add `SUBSCRIBE_FORM_SECRET = "<random
-string here>"` to `/etc/mailman/mm_cfg.py`. It's really that simple! Just a
-[four-line patch in my Ansible playbook](https://git.ralfj.de/ansible.git/commitdiff/937b170594be82e500ae726dc47de8ca9ef3dfcf)
-to get this rolled out to all servers. Note that you need to be at least on
-Mailman 2.1.16 for this to work; all currently supported versions of Debian come
-with a recent enough version (if you use backports on Debian 7 "Wheezy").
-
-The more people do this, the more it will help to stop this kind of spam. Or
-rather, it'll force the spammers to upgrade their game. I assume eventually I
-*will* have to add a CAPTCHA. Or maybe there is a simple and reliable way to
-migrate to Mailman 3 before that happens---and maybe that will have a CAPTCHA.
-(Though, from a quick search, it doesn't seem like it does, which I find pretty
-surprising. If my tiny servers are abused like this, I assume it's a really
-common problem and Mailman should protect against it per default.)
projects / web.git / blobdiff