Thanks! That works for Apache2.2. For those interested that are using Apache2.4, make this change: -Order deny,allow -Deny from all +Require all denied The rest should be the same. Here is some more info: http://httpd.apache.org/docs/2.4/upgrading.html Best, Rafael On Fri, Aug 14, 2015 at 2:16 PM, Jim Popovitch <jimpop@gmail.com> wrote:
That's a very old (in Internet Years) Mailman problem that was solved with session cookies in v2.1.16 (16-Oct-2013). If you're still paranoid, and don't want to piss your users off with privacy leaking captcha, then just set up some referer checking in your apache or nginx configs:
Apache:
# Prevent subscription request spam SetEnvIf Referer lists\.example\.com localreferer <Location /mailman/subscribe> Order deny,allow Deny from all Allow from env=localreferer </Location> -Jim P.