Opened 4 years ago

Closed 13 months ago

#2463 closed task (fixed)

geoserver-security under sustained access request attack

Reported by: jive Owned by: jsanz
Priority: normal Milestone: Unplanned
Component: SysAdmin/Mailman Keywords:
Cc:

Description

In the past couple of days we are getting emails sent to geoserver-security-owner@lists.osgeo.org of dummy accounts trying to subscribe.

Is there any way to turn off subscription requests, and manually manage the limited list of members?

Attachments (1)

many.png (458.6 KB ) - added by jive 4 years ago.
many.png

Download all attachments as: .zip

Change History (13)

comment:1 by jive, 4 years ago

Anything we can do here? Can we take this list private ...

comment:2 by strk, 4 years ago

The mailing list owner, I think, can do that from the admin panel

comment:3 by wildintellect, 4 years ago

Component: Systems AdminMailing Lists
Owner: changed from sac@… to jsanz

comment:4 by jsanz, 4 years ago

Options for admins are available at

https://lists.osgeo.org/mailman/admin/geoserver-security/privacy

You can remove the list from being advertised in the mailman lists frontpage, and maybe you can also add the confirm step, but as far as I know there isn't a way to fully remove the subscription procedure and move mailman to an "invitation-only" workflow.

Please let me know if you want me to change those settings for you.

comment:5 by strk, 4 years ago

I found an old thread saying this is NOT possible with Mailman (to confirm what jsanz is saying): https://mail.python.org/pipermail/mailman-users/2010-September/070226.html

As this was 10 years ago I wonder if things changed...

Anyway, it's a python software, maybe we can implement that change. Pythonists reading this ?

comment:6 by strk, 4 years ago

Another option seems to be tweaking the subscription template: https://mail.python.org/pipermail/mailman-users/2005-October/047223.html

comment:7 by jsanz, 4 years ago

Also, worth noting that you can add regular expressions to the ban list to entirely remove email domains.

https://lists.osgeo.org/mailman/admin/geoserver-security/?VARHELP=privacy/subscribing/ban_list

by jive, 4 years ago

Attachment: many.png added

many.png

comment:8 by jive, 4 years ago

Please see attachment, we are getting hundreds of these subscription requests a week.

Is this mailing list just unlucky, or are others also under sustained attack.

comment:9 by jive, 4 years ago

From Jukka:

Filtering the incoming mails coming from geoserver-security list mainly hides the issue that we have with the subscription spam. Could it be possible to add recaptcha or anything to stop at least most subscription requests from a robot that some friendly people has obviously hired? The list seems to be handled by mailman and I found some links that feel relevant, like https://www.dragonsreach.it/2018/02/26/adding-recaptcha-v2-support-mailman/.

comment:10 by neteler, 4 years ago

FYI, this mess also affects other lists: stolen email addresses seem to be registered and their respective owners complain about unsolicited subscription to the list managers (incl. me).

comment:11 by robe, 21 months ago

Is this still an issue? I know we've made several upgrades but we haven't put in recaptcha.

comment:12 by cvvergara, 13 months ago

Resolution: fixed
Status: newclosed

Was told by @jive that it can be closed

Note: See TracTickets for help on using tickets.