IMPORTANT NOTICE - Subscription to Mailman lists disabled immediately

All,

We need to immediately disable subscription capabilities to all LLVM Mailman lists.

The current Mailman server is being abused by subscribing valid email addresses to our lists and because the list requires confirmation, the email address gets “spam”. An email address is subscribed upwards of 100 times in a short period of time in many cases. AWS has threatened to turn off our instance unless we take immediate action. Given the time frame of the situation (24 hours to resolve), we have no choice but to disable all new subscription capabilities as we can not distinguish between a real subscription attempt versus the abuse.

Those currently subscribed should see no changes or impact to their workflow.

I am sure this raises a lot of questions for the LLVM community and we are working hard and as quickly as possible on a permanent solution to this situation.

Thanks,
Tanya Lattner
LLVM Foundation

All,

We need to immediately disable subscription capabilities to all LLVM Mailman
lists.

The current Mailman server is being abused by subscribing valid email addresses
to our lists and because the list requires confirmation, the email address gets
“spam”. An email address is subscribed upwards of 100 times in a short
period of time in many cases. AWS has threatened to turn off our instance
unless we take immediate action. Given the time frame of the situation (24
hours to resolve), we have no choice but to disable all new subscription
capabilities as we can not distinguish between a real subscription attempt
versus the abuse.

In the future, could this be prevented by requiring subscriptions to be by
DKIM-authenticated email, and imposing a rate limit on new subscriptions per
email address? I wonder if this is actually a backscatter vulnerability in
Mailman.