From 6fac67d23d53d2bb46b300e53a33da1c8f09cb86 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Wed, 10 Jun 2020 15:04:26 -0700 Subject: Implement WARN_MEMBER_OF_SUBSCRIBE subscribe setting. --- Mailman/Cgi/subscribe.py | 1 + Mailman/Defaults.py.in | 4 ++++ NEWS | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index 795fc81b..ca218737 100644 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -300,6 +300,7 @@ moderator's decision when they get to your request.""") results = _('You are already subscribed.') else: results = privacy_results + if privacy_results and mm_cfg.WARN_MEMBER_OF_SUBSCRIBE: # This could be a membership probe. For safety, let the user know # a probe occurred. BAW: should we inform the list moderator? listaddr = mlist.GetListEmail() diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index e5d8b3cf..fea5dcf1 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -1130,6 +1130,10 @@ ANONYMOUS_LIST_KEEP_HEADERS = ['^(?!x-)', '^x-mailman-', # request email, she has to wait PENDING_REQUEST_LIFE (default 3 days) before # she can request another. This setting also applies to repeated unsubscribes. REFUSE_SECOND_PENDING = No +# Mailbombing of a list member of a list with private rosters can occur with +# repeated subscribe attempts resulting in repeated user warnings. Set the +# following to No to supress the user warnings. +WARN_MEMBER_OF_SUBSCRIBE = Yes diff --git a/NEWS b/NEWS index 692731a1..8a9e2b85 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,10 @@ Here is a history of user visible changes to Mailman. - DMARC mitigation no longer misses if the domain name returned by DNS contains upper case. (LP: #1881035) + - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent + mailbombing of a member of a list with private rosters by repeated + subscribe attempts. (LP: #1883017) + 2.1.33 (07-May-2020) Security -- cgit v1.2.3