IMPORTANT NOTICE - Subscription to Mailman lists disabled immediately

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IMPORTANT NOTICE - Subscription to Mailman lists disabled immediately

Manas via cfe-dev
All,

We need to immediately disable subscription capabilities to all LLVM Mailman lists.

The current Mailman server is being abused by subscribing valid email addresses to our lists and because the list requires confirmation, the email address gets “spam”. An email address is subscribed upwards of 100 times in a short period of time in many cases. AWS has threatened to turn off our instance unless we take immediate action. Given the time frame of the situation (24 hours to resolve), we have no choice but to disable all new subscription capabilities as we can not distinguish between a real subscription attempt versus the abuse. 

Those currently subscribed should see no changes or impact to their workflow. 

I am sure this raises a lot of questions for the LLVM community and we are working hard and as quickly as possible on a permanent solution to this situation.

Thanks,
Tanya Lattner
LLVM Foundation


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: IMPORTANT NOTICE - Subscription to Mailman lists disabled immediately

Manas via cfe-dev
On 3/5/21 4:54 PM, Tanya Lattner via cfe-dev wrote:

> All,
>
> We need to immediately disable subscription capabilities to all LLVM Mailman
> lists.
>
> The current Mailman server is being abused by subscribing valid email addresses
> to our lists and because the list requires confirmation, the email address gets
> “spam”. An email address is subscribed upwards of 100 times in a short
> period of time in many cases. AWS has threatened to turn off our instance
> unless we take immediate action. Given the time frame of the situation (24
> hours to resolve), we have no choice but to disable all new subscription
> capabilities as we can not distinguish between a real subscription attempt
> versus the abuse.
In the future, could this be prevented by requiring subscriptions to be by
DKIM-authenticated email, and imposing a rate limit on new subscriptions per
email address?  I wonder if this is actually a backscatter vulnerability in
Mailman.

> Those currently subscribed should see no changes or impact to their workflow.
>
> I am sure this raises a lot of questions for the LLVM community and we
> are working hard and as quickly as possible on a permanent solution to
> this situation.
>
> Thanks,
> Tanya Lattner
> LLVM Foundation



_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

OpenPGP_signature (849 bytes) Download Attachment