Can creating too many Django accounts crash Mailman3 server?
Hi,
It seems anybody can go to the site: https://LISTSERVNAME/mailman3/postorius/lists/ and click on the [Sign up] on the top-right corner and create an account. This can easily be automated, even though the next step, confirming the email address, being ignored. I believe it can be used as a target for a DOS attack by creating so many accounts, that eventually causes an 'out of space' error.
Is this a justified concern? Is there a way to manage this feature in a secure way?
Best regards Mohsen Masoudfar Lead System Analyst, IT Operation American Association for the Advancement of Science 1200 New York Ave, NW, Washington, DC 20005 202-326-7087
On 9/14/20 10:54 AM, Mohsen Masoudfar wrote:
It seems anybody can go to the site: https://LISTSERVNAME/mailman3/postorius/lists/ and click on the [Sign up] on the top-right corner and create an account. This can easily be automated, even though the next step, confirming the email address, being ignored. I believe it can be used as a target for a DOS attack by creating so many accounts, that eventually causes an 'out of space' error.
Is this a justified concern? Is there a way to manage this feature in a secure way?
We no longer use Django to manage our mailman 3 user registration, but the same concerns that you have are still valid for us. What we do is run a cronjob that purges all unverified accounts once per day. So problem solved for us. Perhaps something like that can be done for Django.
-- Please let me know if you need further assistance.
Thank you for your business. We appreciate our clients. Brian Carpenter EMWD.com
-- EMWD's Knowledgebase: https://clientarea.emwd.com/index.php/knowledgebase
EMWD's Community Forums http://discourse.emwd.com/
Mohsen Masoudfar writes:
It seems anybody can go to the site: https://LISTSERVNAME/mailman3/postorius/lists/ and click on the [Sign up] on the top-right corner and create an account.
Yes.
This can easily be automated, even though the next step, confirming the email address, being ignored. I believe it can be used as a target for a DOS attack by creating so many accounts, that eventually causes an 'out of space' error.
Is this a justified concern?
"Justified" depends on who you think the attacker is. Theoretically it's a real possibility, but the space used by an unverified account is not large. I suspect there are always much more painful DoS attacks to worry about.
Is there a way to manage this feature in a secure way?
In some sense, I don't think there is. The point of the feature is to allow anybody to sign up without authentication beyond having a usable email address. Either you allow the DoS attack or anything you do is likely to deny service to legitimate users.
Brian's approach (cron job purging unverified users) is generally good hygiene, but I don't think it would do much against an deliberate attack. And it shouldn't be hard to automate the confirmation process. I guess you could handle that by purging accounts with no subscriptions or other roles on any lists, but that might annoy a few legitimate users.
Probably the best you could do for an open server would be to throttle user creation to say 1 per minute (adjustable to the scale of your site).
I don't know if there is currently a way to require admin approval for account creation (as opposed to list subscription). Perhaps we should add that if we don't have it.
Steve
On Tue, Sep 15, 2020, at 12:09 AM, Stephen J. Turnbull wrote:
Mohsen Masoudfar writes:
It seems anybody can go to the site: https://LISTSERVNAME/mailman3/postorius/lists/ and click on the [Sign up] on the top-right corner and create an account.
Yes.
This can easily be automated, even though the next step, confirming the email address, being ignored. I believe it can be used as a target for a DOS attack by creating so many accounts, that eventually causes an 'out of space' error.
Is this a justified concern?
"Justified" depends on who you think the attacker is. Theoretically it's a real possibility, but the space used by an unverified account is not large. I suspect there are always much more painful DoS attacks to worry about.
Is there a way to manage this feature in a secure way?
In some sense, I don't think there is. The point of the feature is to allow anybody to sign up without authentication beyond having a usable email address. Either you allow the DoS attack or anything you do is likely to deny service to legitimate users.
Brian's approach (cron job purging unverified users) is generally good hygiene, but I don't think it would do much against an deliberate attack. And it shouldn't be hard to automate the confirmation process. I guess you could handle that by purging accounts with no subscriptions or other roles on any lists, but that might annoy a few legitimate users.
Probably the best you could do for an open server would be to throttle user creation to say 1 per minute (adjustable to the scale of your site).
I don't know if there is currently a way to require admin approval for account creation (as opposed to list subscription). Perhaps we should add that if we don't have it.
I checked django-allauth, it doesn't have a feature like that. We could implement something on-top of that to optionally allow for admin approval but some other details would need to be figured out and would be a sizeable task involving a new view for account approvals.
We potentially also would have to modify the models used in django-allauth to add the flag for "approved", which I am not sure would be an easy task to figure out.
Perhaps, it might be easier to make a feature request and implement it in django-allauth though.
Steve
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
-- thanks, Abhilash Raj (maxking)
participants (4)
-
Abhilash Raj -
Brian Carpenter -
Mohsen Masoudfar -
Stephen J. Turnbull