Fighting Mailman Subscription Spam: The Easy Way

I recently noticed that both of the Mailman setups that I am running are being abused for subscription spam: Bots would automatically attempt to subscribe foreign email addresses to public mailing lists, resulting in a subscription notification being sent to that address. I am still extremely saddened by the fact that this is a thing—whoever sends this spam has no direct benefit and no way of selling anything (they don’t control the content of the message); the only effect is to annoy the owner of that email address, the victim. That seems to be enough for some. :(

Oh, and my servers’ reputation goes down because people mark these emails as spam. So, more than enough reasons to try and stop this.

The Big Guns

My first reaction was to go and look for a way to add a CAPTCHA to the subscription page. Unfortunately, Mailman 2 itself only very recently (with version 2.1.26) gained support for CAPTCHAs, and even that just supports Google’s reCAPTCHA. I am not going to expose my users to Google’s tracking like that, nor am I willing to actively discriminate against people not having Google accounts (reCAPTCHA is much more annoying if Google can’t track you because you are not logged in), so reCAPTCHA was clearly not an option. Instead, the plan was to look at one of the patches that add CAPTCHA support to older versions of Mailman and implement a simple question-and-answer CAPTCHA myself.

Update: I previously claimed Mailman 2 does not support CAPTCHAs at all, which turned out to be incorrect. /Update

Keep It Simple

But then, while just getting started on this and browsing the Mailman sources, I found out about SUBSCRIBE_FORM_SECRET. SUBSCRIBE_FORM_SECRET is a Mailman config option that, once set to a random string, will make Mailman embed a CSRF token into the subscription form. Mailman will also enforce that the form must be submitted at least five seconds after it was generated. Since the bots that have found my servers so far are much less patient than that, just setting SUBSCRIBE_FORM_SECRET was enough to completely get rid of the subscription spam.

So, if you are reading this and running a Mailman installation: Please set SUBSCRIBE_FORM_SECRET and protect your setup against abuse! Just run openssl rand -base64 18 to get some random string, and then add SUBSCRIBE_FORM_SECRET = "<random string here>" to /etc/mailman/mm_cfg.py. It’s really that simple! Just a four-line patch in my Ansible playbook to get this rolled out to all servers. Note that you need to be at least on Mailman 2.1.16 for this to work; all currently supported versions of Debian come with a recent enough version (if you use backports on Debian 7 “Wheezy”).

The more people do this, the more it will help to stop this kind of spam. Or rather, it’ll force the spammers to upgrade their game. I assume eventually I will have to add a CAPTCHA. Or maybe there is a simple and reliable way to migrate to Mailman 3 before that happens—and maybe that will have more reasonable CAPTCHA options, something beyond just reCAPTCHA.

Posted on Ralf's Ramblings on Jun 2, 2018.
Comments? Drop me a mail!