Dailydave mailing list archives
Re: disregard - one more test, sorry
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 14 Sep 2005 08:21:29 -0400
Nick Drage wrote:
On Fri, Sep 09, 2005 at 10:02:01AM -0400, Dave Aitel wrote:We're testing the Bounce handler in mailman. Apparantly you can DoS[1] a mailman instance by signing a thousand people up to a list (which we did by mistake) then having those thousand people placed into the bounce queue. This makes mailman's bounce handler grow to use approximately one gig of ram and all the CPU. To fix this, you need (it turns out) to set the bounce handling to "on each bounce, just disable/unsubscribe that person". However, while the bounce handler is doing it's painful dance, the administrative interface is only accessible by shutting down mailman (via killall -9 python).If you set this up wouldn't it then be relatively trivial to just unsubscribe/disable every subscriber to the list, as bounce messages are much easier to fake than unsubscribe confirmations?
Any user that's posted, yes. I looked for the option to have all emailed GPG signed, but didn't see one. :>
-dave
Current thread:
- disregard - one more test, sorry Bas Alberts (Sep 08)
- RE: disregard - one more test, sorry Dave Korn (Sep 09)
- Re: disregard - one more test, sorry Dave Aitel (Sep 09)
- RE: disregard - one more test, sorry Dave Korn (Sep 09)
- Re: disregard - one more test, sorry Nick Drage (Sep 14)
- Re: disregard - one more test, sorry Dave Aitel (Sep 14)
- Re: disregard - one more test, sorry Rudra Kamal Sinha Roy (Sep 14)
- Re: disregard - one more test, sorry Dave Aitel (Sep 09)
- RE: disregard - one more test, sorry Dave Korn (Sep 09)