#2463: geoserver-security under sustained access request attack
---------------------------+-----------------------
Reporter: jive | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Keywords:
---------------------------+-----------------------
In the past couple of days we are getting emails sent to `geoserver-
security-owner@lists.osgeo.org` of dummy accounts trying to subscribe.
Is there any way to turn off subscription requests, and manually manage
the limited list of members?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jive):
Anything we can do here? Can we take this list private ...
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by strk):
The mailing list owner, I think, can do that from the admin panel
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Changes (by wildintellect):
* owner: sac@… => jsanz
* component: Systems Admin => Mailing Lists
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jsanz):
Options for admins are available at
https://lists.osgeo.org/mailman/admin/geoserver-security/privacy
You can remove the list from being advertised in the mailman lists
frontpage, and maybe you can also add the confirm step, but as far as I
know there isn't a way to fully remove the subscription procedure and move
mailman to an "invitation-only" workflow.
Please let me know if you want me to change those settings for you.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by strk):
I found an old thread saying this is NOT possible with Mailman
(to confirm what jsanz is saying):
https://mail.python.org/pipermail/mailman-users/2010-September/070226.html
As this was 10 years ago I wonder if things changed...
Anyway, it's a python software, maybe we can implement that change.
Pythonists reading this ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by strk):
Another option seems to be tweaking the subscription template:
https://mail.python.org/pipermail/mailman-users/2005-October/047223.html
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jsanz):
Also, worth noting that you can add regular expressions to the ban list to
entirely remove email domains.
https://lists.osgeo.org/mailman/admin/geoserver-
security/?VARHELP=privacy/subscribing/ban_list
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Changes (by jive):
* Attachment "many.png" added.
many.png
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jive):
Please see attachment, we are getting hundreds of these subscription
requests a week.
Is this mailing list just unlucky, or are others also under sustained
attack.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jive):
From Jukka:
> Filtering the incoming mails coming from geoserver-security list mainly
hides the issue that we have with the subscription spam. Could it be
possible to add recaptcha or anything to stop at least most subscription
requests from a robot that some friendly people has obviously hired? The
list seems to be handled by mailman and I found some links that feel
relevant, like https://www.dragonsreach.it/2018/02/26/adding-recaptcha-v2
-support-mailman/.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by neteler):
FYI, this mess also affects other lists: stolen email addresses seem to be
registered and their respective owners complain about unsolicited
subscription to the list managers (incl. me).
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
-----------------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mails & Mailing Lists | Resolution:
Keywords: |
-----------------------------------+------------------------
Comment (by robe):
Is this still an issue? I know we've made several upgrades but we haven't
put in recaptcha.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:11>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2463: geoserver-security under sustained access request attack
-----------------------------------+------------------------
Reporter: jive | Owner: jsanz
Type: task | Status: closed
Priority: normal | Milestone: Unplanned
Component: Mails & Mailing Lists | Resolution: fixed
Keywords: |
-----------------------------------+------------------------
Changes (by cvvergara):
* status: new => closed
* resolution: => fixed
Comment:
Was told by @jive that it can be closed
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:12>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.