X-Git-Url: https://git.ralfj.de/web.git/blobdiff_plain/48c50507ee393f24dc73c16b209b5f00e02e166b..refs/heads/master:/ralf/_posts/2018-06-02-mailman-subscription-spam.md diff --git a/ralf/_posts/2018-06-02-mailman-subscription-spam.md b/ralf/_posts/2018-06-02-mailman-subscription-spam.md deleted file mode 100644 index 3c29d1f..0000000 --- a/ralf/_posts/2018-06-02-mailman-subscription-spam.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: "Fighting Mailman Subscription Spam: The Easy Way" -categories: sysadmin ---- - -I recently noticed that both of the Mailman setups that I am running are being -abused for *subscription spam*: Bots would automatically attempt to subscribe -foreign email addresses to public mailing lists, resulting in a subscription -notification being sent to that address. I am still extremely saddened by the -fact that this is a thing---whoever sends this spam has no direct benefit and no -way of selling anything (they don't control the content of the message); the -only effect is to annoy the owner of that email address, the victim. That seems -to be enough for some. :( - -Oh, and my servers' reputation goes down because people mark these emails as -spam. So, more than enough reasons to try and stop this. - - - -### The Big Guns - -My first reaction was to go and look for a way to add a CAPTCHA to the -subscription page. Unfortunately, Mailman 2 itself only very recently (with -version 2.1.26) gained support for CAPTCHAs, and even that just supports -Google's reCAPTCHA. I am not going to expose my users to Google's tracking like -that, nor am I willing to actively discriminate against people not having Google -accounts (reCAPTCHA is much more annoying if Google can't track you because you -are not logged in), so reCAPTCHA was clearly not an option. Instead, the plan -was to look at one of the patches that add CAPTCHA support to older versions of -Mailman and implement a simple question-and-answer CAPTCHA myself. - -**Update:** I previously claimed Mailman 2 does not support CAPTCHAs at all, - which turned out to be incorrect. **/Update** - -### Keep It Simple - -But then, while just getting started on this and browsing the Mailman sources, I -found out about `SUBSCRIBE_FORM_SECRET`. `SUBSCRIBE_FORM_SECRET` is a Mailman -config option that, once set to a random string, will make Mailman embed a -[CSRF token](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) -into the subscription form. Mailman will also enforce that the form must be -submitted *at least* five seconds after it was generated. Since the bots that -have found my servers so far are much less patient than that, just setting -`SUBSCRIBE_FORM_SECRET` was enough to completely get rid of the subscription -spam. - -So, if you are reading this and running a Mailman installation: **Please set -`SUBSCRIBE_FORM_SECRET` and protect your setup against abuse!** Just run `pwgen -16` to get some random string, and then add `SUBSCRIBE_FORM_SECRET = ""` to `/etc/mailman/mm_cfg.py`. It's really that simple! Just a -[four-line patch in my Ansible playbook](https://git.ralfj.de/ansible.git/commitdiff/937b170594be82e500ae726dc47de8ca9ef3dfcf) -to get this rolled out to all servers. Note that you need to be at least on -Mailman 2.1.16 for this to work; all currently supported versions of Debian come -with a recent enough version (if you use backports on Debian 7 "Wheezy"). - -The more people do this, the more it will help to stop this kind of spam. Or -rather, it'll force the spammers to upgrade their game. I assume eventually I -*will* have to add a CAPTCHA. Or maybe there is a simple and reliable way to -migrate to Mailman 3 before that happens---and maybe that will have more -reasonable CAPTCHA options, something beyond just reCAPTCHA.