Platforms

All LISTSERV 14.3 and later


Abstract

The maximum number of lists to which consecutive subscription attempts will be accepted from a given subscriber, to prevent "spoofing" attacks.


Example

z/VM:

MAX_CONSECUTIVE_SUBS = 50

Unix:

MAX_CONSECUTIVE_SUBS=50

export MAX_CONSECUTIVE_SUBS

Windows:

MAX_CONSECUTIVE_SUBS=50


Details

As a preventative against spoofers adding third parties to hundreds of lists without their knowledge, this variable sets the number of local lists to which a user may subscribe at any one given time. The default is 50 lists, after which LISTSERV assumes that the subscription requests are coming from a spoofer, and cancels the last 50 subscription requests for the user in question. (To clarify, a user may be subscribed to more than 50 lists on the server, but may not issue more than 50 subscription requests in a row.)

MAX_CONSECUTIVE_SUBS allows site maintainers full control over the limit.  A setting of 0 disables the anti-spoofing filter altogether (which is not recommended).

In LISTSERV 16.0-2017a and following, MAX_CONSECUTIVE_SUBS is also applied to the X-CONFIRM command, to prevent an exploit which targeted the X-CONFIRM command via signup pages in the LISTSERV web interface.  This exploit flooded target email addresses with bogus subscription confirmation requests from multiple lists on the server. This could happen either accidentally (broken external script) or by malicious intent.  The original exploit would result in a further flooding several days later when the bogus subscription requests expired.  Because X-CONFIRM is not a SUBSCRIBE command, it was not originally limited by the MAX_CONSECUTIVE_SUBS setting.

To mitigate this problem, LISTSERV's internal X-CONFIRM function was modified to honor MAX_CONSECUTIVE_SUBS, and will reject consecutive X-CONFIRM commands from the same user once that limit is reached.  The rejection message is displayed in the web interface and is not sent to the targeted address


Default Value

50