19 Sep
2023
19 Sep
'23
4:30 p.m.
Hi mailman-users, So you know, it looks like there is a vulnerability with mailman 2 where a third party can very aggressively spoof password reminder, unsubscription, or other requests using the web interface, queueing tens of thousands of unsolicited messages to any given subscriber. Worse, if this is done to a user of gmail or yahoo, the receiving hosts may block the mailserver’s ip address generally, preventing the delivery of legitimate list content to other subscribers using the same provider. There should probably be a rate limit on the web interface, although I understand mailman 2 is no longer developed.