[OSGeo] #2463: geoserver-security under sustained access request attack

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+-----------------------
 Reporter:  jive           |      Owner:  sac@…
     Type:  task           |     Status:  new
 Priority:  normal         |  Milestone:  Unplanned
Component:  Systems Admin  |   Keywords:
---------------------------+-----------------------
 In the past couple of days we are getting emails sent to `geoserver-
 [hidden email]` of dummy accounts trying to subscribe.

 Is there any way to turn off subscription requests, and manually manage
 the limited list of members?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  sac@…
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Systems Admin  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by jive):

 Anything we can do here? Can we take this list private ...

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  sac@…
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Systems Admin  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by strk):

 The mailing list owner, I think, can do that from the admin panel

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------
Changes (by wildintellect):

 * owner:  sac@… => jsanz
 * component:  Systems Admin => Mailing Lists


--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by jsanz):

 Options for admins are available at

 https://lists.osgeo.org/mailman/admin/geoserver-security/privacy

 You can remove the list from being advertised in the mailman lists
 frontpage, and maybe you can also add the confirm step, but as far as I
 know there isn't a way to fully remove the subscription procedure and move
 mailman to an "invitation-only" workflow.

 Please let me know if you want me to change those settings for you.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by strk):

 I found an old thread saying this is NOT possible with Mailman
 (to confirm what jsanz is saying):
 https://mail.python.org/pipermail/mailman-users/2010-September/070226.html

 As this was 10  years ago I wonder if things changed...

 Anyway, it's a python software, maybe we can implement that change.
 Pythonists reading this ?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by strk):

 Another option seems to be tweaking the subscription template:
 https://mail.python.org/pipermail/mailman-users/2005-October/047223.html

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by jsanz):

 Also, worth noting that you can add regular expressions to the ban list to
 entirely remove email domains.

 https://lists.osgeo.org/mailman/admin/geoserver-
 security/?VARHELP=privacy/subscribing/ban_list

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------
Changes (by jive):

 * Attachment "many.png" added.

 many.png

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by jive):

 Please see attachment, we are getting hundreds of these subscription
 requests a week.

 Is this mailing list just unlucky, or are others also under sustained
 attack.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by jive):

 From Jukka:

 > Filtering the incoming mails coming from geoserver-security list mainly
 hides the issue that we have with the subscription spam. Could it be
 possible to add recaptcha or anything to stop at least most subscription
 requests from a robot that some friendly people has obviously hired? The
 list seems to be handled by mailman and I found some links that feel
 relevant, like https://www.dragonsreach.it/2018/02/26/adding-recaptcha-v2
 -support-mailman/.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac
Reply | Threaded
Open this post in threaded view
|

Re: [OSGeo] #2463: geoserver-security under sustained access request attack

OSGeo
In reply to this post by OSGeo
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jsanz
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Unplanned
Component:  Mailing Lists  |  Resolution:
 Keywords:                 |
---------------------------+------------------------

Comment (by neteler):

 FYI, this mess also affects other lists: stolen email addresses seem to be
 registered and their respective owners complain about unsolicited
 subscription to the list managers (incl. me).

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

_______________________________________________
Sac mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/sac