Opened 15 months ago

Last modified 13 months ago

#2463 new task

geoserver-security under sustained access request attack

Reported by: jive Owned by: jsanz
Priority: normal Milestone: Unplanned
Component: Mails & Mailing Lists Keywords:
Cc:

Description

In the past couple of days we are getting emails sent to geoserver-security-owner@lists.osgeo.org of dummy accounts trying to subscribe.

Is there any way to turn off subscription requests, and manually manage the limited list of members?

Attachments (1)

many.png (458.6 KB) - added by jive 14 months ago.
many.png

Download all attachments as: .zip

Change History (11)

comment:1 Changed 15 months ago by jive

Anything we can do here? Can we take this list private ...

comment:2 Changed 14 months ago by strk

The mailing list owner, I think, can do that from the admin panel

comment:3 Changed 14 months ago by wildintellect

Component: Systems AdminMailing Lists
Owner: changed from sac@… to jsanz

comment:4 Changed 14 months ago by jsanz

Options for admins are available at

https://lists.osgeo.org/mailman/admin/geoserver-security/privacy

You can remove the list from being advertised in the mailman lists frontpage, and maybe you can also add the confirm step, but as far as I know there isn't a way to fully remove the subscription procedure and move mailman to an "invitation-only" workflow.

Please let me know if you want me to change those settings for you.

comment:5 Changed 14 months ago by strk

I found an old thread saying this is NOT possible with Mailman (to confirm what jsanz is saying): https://mail.python.org/pipermail/mailman-users/2010-September/070226.html

As this was 10 years ago I wonder if things changed...

Anyway, it's a python software, maybe we can implement that change. Pythonists reading this ?

comment:6 Changed 14 months ago by strk

Another option seems to be tweaking the subscription template: https://mail.python.org/pipermail/mailman-users/2005-October/047223.html

comment:7 Changed 14 months ago by jsanz

Also, worth noting that you can add regular expressions to the ban list to entirely remove email domains.

https://lists.osgeo.org/mailman/admin/geoserver-security/?VARHELP=privacy/subscribing/ban_list

Changed 14 months ago by jive

Attachment: many.png added

many.png

comment:8 Changed 14 months ago by jive

Please see attachment, we are getting hundreds of these subscription requests a week.

Is this mailing list just unlucky, or are others also under sustained attack.

comment:9 Changed 14 months ago by jive

From Jukka:

Filtering the incoming mails coming from geoserver-security list mainly hides the issue that we have with the subscription spam. Could it be possible to add recaptcha or anything to stop at least most subscription requests from a robot that some friendly people has obviously hired? The list seems to be handled by mailman and I found some links that feel relevant, like https://www.dragonsreach.it/2018/02/26/adding-recaptcha-v2-support-mailman/.

comment:10 Changed 13 months ago by neteler

FYI, this mess also affects other lists: stolen email addresses seem to be registered and their respective owners complain about unsolicited subscription to the list managers (incl. me).

Note: See TracTickets for help on using tickets.