Opened 5 years ago
Closed 21 months ago
#2463 closed task (fixed)
geoserver-security under sustained access request attack
| Reported by: | jive | Owned by: | jsanz |
|---|---|---|---|
| Priority: | normal | Milestone: | Unplanned |
| Component: | SysAdmin/Mailman | Keywords: | |
| Cc: |
Description
In the past couple of days we are getting emails sent to geoserver-security-owner@lists.osgeo.org of dummy accounts trying to subscribe.
Is there any way to turn off subscription requests, and manually manage the limited list of members?
Attachments (1)
Change History (13)
comment:1 by , 4 years ago
comment:3 by , 4 years ago
| Component: | Systems Admin → Mailing Lists |
|---|---|
| Owner: | changed from to |
comment:4 by , 4 years ago
Options for admins are available at
https://lists.osgeo.org/mailman/admin/geoserver-security/privacy
You can remove the list from being advertised in the mailman lists frontpage, and maybe you can also add the confirm step, but as far as I know there isn't a way to fully remove the subscription procedure and move mailman to an "invitation-only" workflow.
Please let me know if you want me to change those settings for you.
comment:5 by , 4 years ago
I found an old thread saying this is NOT possible with Mailman (to confirm what jsanz is saying): https://mail.python.org/pipermail/mailman-users/2010-September/070226.html
As this was 10 years ago I wonder if things changed...
Anyway, it's a python software, maybe we can implement that change. Pythonists reading this ?
comment:6 by , 4 years ago
Another option seems to be tweaking the subscription template: https://mail.python.org/pipermail/mailman-users/2005-October/047223.html
comment:7 by , 4 years ago
Also, worth noting that you can add regular expressions to the ban list to entirely remove email domains.
https://lists.osgeo.org/mailman/admin/geoserver-security/?VARHELP=privacy/subscribing/ban_list
comment:8 by , 4 years ago
Please see attachment, we are getting hundreds of these subscription requests a week.
Is this mailing list just unlucky, or are others also under sustained attack.
comment:9 by , 4 years ago
From Jukka:
Filtering the incoming mails coming from geoserver-security list mainly hides the issue that we have with the subscription spam. Could it be possible to add recaptcha or anything to stop at least most subscription requests from a robot that some friendly people has obviously hired? The list seems to be handled by mailman and I found some links that feel relevant, like https://www.dragonsreach.it/2018/02/26/adding-recaptcha-v2-support-mailman/.
comment:10 by , 4 years ago
FYI, this mess also affects other lists: stolen email addresses seem to be registered and their respective owners complain about unsolicited subscription to the list managers (incl. me).
comment:11 by , 2 years ago
Is this still an issue? I know we've made several upgrades but we haven't put in recaptcha.
comment:12 by , 21 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Was told by @jive that it can be closed
Anything we can do here? Can we take this list private ...