It seems someone is trying to forge-subscribe certain addresses (mostly AOL / Yahoo / Gmail etc. addresses) on our Mailman install.
For example, (slightly sanitized, though the IP address is the real one): [19/Jul/2013:09:49:17 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=tar...@example.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587 [19/Jul/2013:09:49:17 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=tar...@example.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587 [19/Jul/2013:09:49:43 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=tar...@example.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587 [19/Jul/2013:09:55:50 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=tar...@example.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587 [19/Jul/2013:09:56:05 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=tar...@example.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587 The password / confirmation token are the same in each case, so doesn't seem like they're trying to guess those. So far, this hasn't resulted in any actual subscriptions, nor is there any spam content in the confirmation message that'se sent to the end-user. Any idea what they might be trying to accomplish? They only seem to have been targeting one of the lists on the machine (the list has several thousand). Does this correspond to any known exploits for older versions of Mailman? w ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
