DOS vulnerability, gmail and yahoo
Karl Semich
0xloem at gmail.com
Tue Sep 19 09:30:11 PDT 2023
Hi mailman-users,
So you know, it looks like there is a vulnerability with mailman
2 where a third party can very aggressively spoof password reminder,
unsubscription, or other requests using the web interface, queueing
tens of thousands of unsolicited messages to any given subscriber.
Worse, if this is done to a user of gmail or yahoo, the receiving
hosts may block the mailserver’s ip address generally, preventing the delivery
of legitimate list content to other subscribers using the same
provider.
There should probably be a rate limit on the web interface, although I
understand mailman 2 is no longer developed.
More information about the cypherpunks
mailing list