X-Git-Url: https://git.ralfj.de/web.git/blobdiff_plain/6c08d400b8980332184e3de1fa5279699cbf8ee5..refs/heads/master:/ralf/_posts/2018-06-02-mailman-subscription-spam.md diff --git a/ralf/_posts/2018-06-02-mailman-subscription-spam.md b/ralf/_posts/2018-06-02-mailman-subscription-spam.md deleted file mode 100644 index 237153c..0000000 --- a/ralf/_posts/2018-06-02-mailman-subscription-spam.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: "Fighting Mailman Subscription Spam: The Easy Way" -categories: sysadmin ---- - -I recently noticed that both of the Mailman setups that I am running are being -abused for *subscription spam*: Bots would automatically attempt to subscribe -foreign email addresses to public mailing lists, resulting in a subscription -notification being sent to that address. I am still extremely saddened by the -fact that this is a thing---whoever sends this spam has no direct benefit and no -way of selling anything (they don't control the content of the message); the -only effect is to annoy the owner of that email address, the victim. That seems -to be enough for some. :( - -Oh, and my servers' reputation goes down because people mark these emails as -spam. So, more than enough reasons to try and stop this. - - - -### The Big Guns - -My first reaction was to go and look for a way to add a CAPTCHA to the -subscription page. Unfortunately, Mailman itself does not support a CAPTCHA (at -least not Mailman 2), and the existing patches I found were all about adding -support for Google's reCAPTCHA. I am not going to expose my users to Google's -tracking like that, nor am I willing to actively discriminate against people not -having Google accounts (reCAPTCHA is much more annoying if Google can't track -you because you are not logged in), so reCAPTCHA was clearly not an option. -Instead, the plan was to look at one of these patches and implement a simple -question-and-answer CAPTCHA myself. - -### Keep It Simple - -But then, while just getting started on this and browsing the Mailman sources, I -found out about `SUBSCRIBE_FORM_SECRET`. `SUBSCRIBE_FORM_SECRET` is a Mailman -config option that, once set to a random string, will make Mailman embed a -[CSRF token](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) -into the subscription form. Mailman will also enforce that the form must be -submitted *at least* five seconds after it was generated. Since the bots that -have found my servers so far are much less patient than that, just setting -`SUBSCRIBE_FORM_SECRET` was enough to completely get rid of the subscription -spam. - -So, if you are reading this and running a Mailman installation: **Please set -`SUBSCRIBE_FORM_SECRET` and protect your setup against abuse!** Just run `pwgen -16` to get some random string, and then add `SUBSCRIBE_FORM_SECRET = ""` to `/etc/mailman/mm_cfg.py`. It's really that simple! Just a -[four-line patch in my Ansible playbook](https://git.ralfj.de/ansible.git/commitdiff/937b170594be82e500ae726dc47de8ca9ef3dfcf) -to get this rolled out to all servers. Note that you need to be at least on -Mailman 2.1.16 for this to work; all currently supported versions of Debian come -with a recent enough version (if you use backports on Debian 7 "Wheezy"). - -The more people do this, the more it will help to stop this kind of spam. Or -rather, it'll force the spammers to upgrade their game. I assume eventually I -*will* have to add a CAPTCHA. Or maybe there is a simple and reliable way to -migrate to Mailman 3 before that happens---and maybe that will have a CAPTCHA. -(Though, from a quick search, it doesn't seem like it does, which I find pretty -surprising. If my tiny servers are abused like this, I assume it's a really -common problem and Mailman should protect against it per default.)