[cfe-dev] IMPORTANT NOTICE - Subscription to Mailman lists disabled immediately
Demi M. Obenour via cfe-dev
cfe-dev at lists.llvm.org
Sat Mar 6 13:02:51 PST 2021
On 3/5/21 4:54 PM, Tanya Lattner via cfe-dev wrote:
> All,
>
> We need to immediately disable subscription capabilities to all LLVM Mailman
> lists.
>
> The current Mailman server is being abused by subscribing valid email addresses
> to our lists and because the list requires confirmation, the email address gets
> “spam”. An email address is subscribed upwards of 100 times in a short
> period of time in many cases. AWS has threatened to turn off our instance
> unless we take immediate action. Given the time frame of the situation (24
> hours to resolve), we have no choice but to disable all new subscription
> capabilities as we can not distinguish between a real subscription attempt
> versus the abuse.
In the future, could this be prevented by requiring subscriptions to be by
DKIM-authenticated email, and imposing a rate limit on new subscriptions per
email address? I wonder if this is actually a backscatter vulnerability in
Mailman.
> Those currently subscribed should see no changes or impact to their workflow.
>
> I am sure this raises a lot of questions for the LLVM community and we
> are working hard and as quickly as possible on a permanent solution to
> this situation.
>
> Thanks,
> Tanya Lattner
> LLVM Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210306/d6dbf68e/attachment.sig>
More information about the cfe-dev
mailing list