Opened 15 months ago

Last modified 13 months ago

#2463 new task

geoserver-security under sustained access request attack

Reported by: jive Owned by: jsanz
Priority: normal Milestone: Unplanned
Component: Mails & Mailing Lists Keywords:


In the past couple of days we are getting emails sent to of dummy accounts trying to subscribe.

Is there any way to turn off subscription requests, and manually manage the limited list of members?

Attachments (1)

many.png (458.6 KB) - added by jive 14 months ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 15 months ago by jive

Anything we can do here? Can we take this list private ...

comment:2 Changed 14 months ago by strk

The mailing list owner, I think, can do that from the admin panel

comment:3 Changed 14 months ago by wildintellect

Component: Systems AdminMailing Lists
Owner: changed from sac@… to jsanz

comment:4 Changed 14 months ago by jsanz

Options for admins are available at

You can remove the list from being advertised in the mailman lists frontpage, and maybe you can also add the confirm step, but as far as I know there isn't a way to fully remove the subscription procedure and move mailman to an "invitation-only" workflow.

Please let me know if you want me to change those settings for you.

comment:5 Changed 14 months ago by strk

I found an old thread saying this is NOT possible with Mailman (to confirm what jsanz is saying):

As this was 10 years ago I wonder if things changed...

Anyway, it's a python software, maybe we can implement that change. Pythonists reading this ?

comment:6 Changed 14 months ago by strk

Another option seems to be tweaking the subscription template:

comment:7 Changed 14 months ago by jsanz

Also, worth noting that you can add regular expressions to the ban list to entirely remove email domains.

Changed 14 months ago by jive

Attachment: many.png added


comment:8 Changed 14 months ago by jive

Please see attachment, we are getting hundreds of these subscription requests a week.

Is this mailing list just unlucky, or are others also under sustained attack.

comment:9 Changed 14 months ago by jive

From Jukka:

Filtering the incoming mails coming from geoserver-security list mainly hides the issue that we have with the subscription spam. Could it be possible to add recaptcha or anything to stop at least most subscription requests from a robot that some friendly people has obviously hired? The list seems to be handled by mailman and I found some links that feel relevant, like

comment:10 Changed 13 months ago by neteler

FYI, this mess also affects other lists: stolen email addresses seem to be registered and their respective owners complain about unsolicited subscription to the list managers (incl. me).

Note: See TracTickets for help on using tickets.