The Increasing Problem Of FOSS Mailing List Flooding Attacks

Written by Tom Li in Free Software on 10 May 2015 at 01:45 PM EDT. 18 Comments
FREE SOFTWARE
This is a guest post by Tom Li, a Phoronix reader wishing to share his views on the increasing problems of free/open-source software public mailing lists being flooded with spam and other garbage. There are some extreme situations where there can be "flooding attacks" of list subscribers receiving thousands of mailing list messages per day from attackers. Tom is hoping the open-source community can come up with better solutions to fend off this problem.

Recently, I have received a large amount of subscription confirmation emails. These mails are from public mailing lists, especially lists of Free and Open Source Projects, included but not limited to OpenBSD, FreeBSD, GNU Project, Ubuntu, CentOS, and Qt. The "subscribers" are from multiple IP addresses. After I shared my experience to social networks, I have found more than 10 victims of the same attack, included a famous Chinese tech-blog writer. One of us received more than 10k email for 24 hours. Some of our emails have already stopped operating and refusing all new incoming emails.

Mailing Lists play a very important role for communication in FOSS projects. Daily development heavily depends on them. Common programs send a confirmation mail after users commit a subscription to prevent unexpected spamming.

But since thousands of lists exist, flooding by sending confirmation mails is possible. These mailing lists are usually powered by GNU Mailman, without any rate limit by default, also provides a shortcut to scripts automation. All the attacks need, is just sending POST requests.

The GNOME Foundation faced the same problem last year, they solved it by adding reCAPTCHA to GNU Mailman running on FreeDesktop.org. But, there are still many lists without any protection, e.g Fedora Project. I urge GNU Mailman developers/webmasters to add a rate limit for their subscriptions to a same email address.

If this method is used widely, such low-cost attacks will serious waste system resource of FOSS projects, and preventing many people and organization to use email. If such mail is classified as spam, all developers' normal communication will be affected.

Have you had much of a problem with this? How many open-source mailing lists are you subscribed to? Let us know by commenting on this article in the forums.
18 Comments
Related News
Servo Web Engine Now Passing Acid2 Layout Engine Test
Sovereign Tech Fund Makes New Investments Into GNOME & PHP, Bug Bounty For systemd
Llamafile 0.8 Releases With LLaMA3 & Grok Support, Faster F16 Performance
Nginx 1.26 Released With Experimental HTTP/3 Support
Tow-Boot 2023.07 U-Boot Distribution Released With New Board Support
Valkey Celebrates Its First Stable Release As Open-Source Redis Fork
Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Fedora Linux 40 Cleared For Release Next Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
MPV 0.38 Media Player Released With New Options & Fixes