Implement WARN_MEMBER_OF_SUBSCRIBE subscribe setting.

3 files changed, 9 insertions, 0 deletions

diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index 795fc81b..ca218737 100644
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -300,6 +300,7 @@ moderator's decision when they get to your request.""")
             results = _('You are already subscribed.')
         else:
             results = privacy_results
+        if privacy_results and mm_cfg.WARN_MEMBER_OF_SUBSCRIBE:
             # This could be a membership probe.  For safety, let the user know
             # a probe occurred.  BAW: should we inform the list moderator?
             listaddr = mlist.GetListEmail()
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index e5d8b3cf..fea5dcf1 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -1130,6 +1130,10 @@ ANONYMOUS_LIST_KEEP_HEADERS = ['^(?!x-)', '^x-mailman-',
 # request email, she has to wait PENDING_REQUEST_LIFE (default 3 days) before
 # she can request another.  This setting also applies to repeated unsubscribes.
 REFUSE_SECOND_PENDING = No
+# Mailbombing of a list member of a list with private rosters can occur with
+# repeated subscribe attempts resulting in repeated user warnings.  Set the
+# following to No to supress the user warnings.
+WARN_MEMBER_OF_SUBSCRIBE = Yes
 
 
 
diff --git a/NEWS b/NEWS
index 692731a1..8a9e2b85 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,10 @@ Here is a history of user visible changes to Mailman.
     - DMARC mitigation no longer misses if the domain name returned by DNS
       contains upper case.  (LP: #1881035)
 
+    - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
+      mailbombing of a member of a list with private rosters by repeated
+      subscribe attempts.  (LP: #1883017)
+
 2.1.33 (07-May-2020)
 
   Security