/wws/renewpasswd can generate nuisance messages
Created by: dpc22
Expected Behaviour
Automated scripts should not be able to send email messages to random recipients using the wwsympa .../renewpasswd link.
Current Behaviour
This is possible. While the content is fixed (see attached example) it has the potential to cause nuisance or confusion.
Possible Solution
Mailman can use a CAPCHA to protect the equivalent function. Alternately some form of rate limit on renewpasswd requests?
I found https://github.com/sympa-community/sympa/pull/492, but that doesn't protect against scripts attacking renewpasswd directly
Context
I received a couple of hundred bounce messages over the weekend from attempts to send password renewals to the invalid address sample@email.tst. There were also lots of SQL insertion attacks from the same source IP address in a very short interval, so obviously some form of script.