From: Ralf Jung Date: Sat, 2 Jun 2018 18:19:55 +0000 (+0200) Subject: add post on mailman subscritpion spam X-Git-Url: https://git.ralfj.de/web.git/commitdiff_plain/33490f0c4ff2c0a37015f36213e6897073723799?ds=inline add post on mailman subscritpion spam --- diff --git a/personal/_posts/2018-06-02-mailman-subscription-spam.md b/personal/_posts/2018-06-02-mailman-subscription-spam.md new file mode 100644 index 0000000..237153c --- /dev/null +++ b/personal/_posts/2018-06-02-mailman-subscription-spam.md @@ -0,0 +1,59 @@ +--- +title: "Fighting Mailman Subscription Spam: The Easy Way" +categories: sysadmin +--- + +I recently noticed that both of the Mailman setups that I am running are being +abused for *subscription spam*: Bots would automatically attempt to subscribe +foreign email addresses to public mailing lists, resulting in a subscription +notification being sent to that address. I am still extremely saddened by the +fact that this is a thing---whoever sends this spam has no direct benefit and no +way of selling anything (they don't control the content of the message); the +only effect is to annoy the owner of that email address, the victim. That seems +to be enough for some. :( + +Oh, and my servers' reputation goes down because people mark these emails as +spam. So, more than enough reasons to try and stop this. + + + +### The Big Guns + +My first reaction was to go and look for a way to add a CAPTCHA to the +subscription page. Unfortunately, Mailman itself does not support a CAPTCHA (at +least not Mailman 2), and the existing patches I found were all about adding +support for Google's reCAPTCHA. I am not going to expose my users to Google's +tracking like that, nor am I willing to actively discriminate against people not +having Google accounts (reCAPTCHA is much more annoying if Google can't track +you because you are not logged in), so reCAPTCHA was clearly not an option. +Instead, the plan was to look at one of these patches and implement a simple +question-and-answer CAPTCHA myself. + +### Keep It Simple + +But then, while just getting started on this and browsing the Mailman sources, I +found out about `SUBSCRIBE_FORM_SECRET`. `SUBSCRIBE_FORM_SECRET` is a Mailman +config option that, once set to a random string, will make Mailman embed a +[CSRF token](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) +into the subscription form. Mailman will also enforce that the form must be +submitted *at least* five seconds after it was generated. Since the bots that +have found my servers so far are much less patient than that, just setting +`SUBSCRIBE_FORM_SECRET` was enough to completely get rid of the subscription +spam. + +So, if you are reading this and running a Mailman installation: **Please set +`SUBSCRIBE_FORM_SECRET` and protect your setup against abuse!** Just run `pwgen +16` to get some random string, and then add `SUBSCRIBE_FORM_SECRET = ""` to `/etc/mailman/mm_cfg.py`. It's really that simple! Just a +[four-line patch in my Ansible playbook](https://git.ralfj.de/ansible.git/commitdiff/937b170594be82e500ae726dc47de8ca9ef3dfcf) +to get this rolled out to all servers. Note that you need to be at least on +Mailman 2.1.16 for this to work; all currently supported versions of Debian come +with a recent enough version (if you use backports on Debian 7 "Wheezy"). + +The more people do this, the more it will help to stop this kind of spam. Or +rather, it'll force the spammers to upgrade their game. I assume eventually I +*will* have to add a CAPTCHA. Or maybe there is a simple and reliable way to +migrate to Mailman 3 before that happens---and maybe that will have a CAPTCHA. +(Though, from a quick search, it doesn't seem like it does, which I find pretty +surprising. If my tiny servers are abused like this, I assume it's a really +common problem and Mailman should protect against it per default.)