On Mon, Jul 22, 2013 at 09:31:03PM +0200, Ralf Hildebrandt wrote: > * Will Yardley <mail...@veggiechinese.net>: > > It seems someone is trying to forge-subscribe certain addresses (mostly > > AOL / Yahoo / Gmail etc. addresses) on our Mailman install. > > Which version of mailman is that?
2.1.9. And yes, I'm aware that we need to upgrade, it's in progress, but isn't possible immediately for complicated reasons. So, that's one reason I'm writing in, just to make sure this isn't an attempt to exploit a hole that's actually exploitable in this version. On Mon, Jul 22, 2013 at 01:16:29PM -0700, Mark Sapiro wrote: > On 07/22/2013 12:16 PM, Will Yardley wrote: > > For example, (slightly sanitized, though the IP address is the real > > one): > > [19/Jul/2013:09:49:17 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET > > /mailman/subscribe/listname?email=tar...@example.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe > > HTTP/1.1" 1587 > This very likely results from legitimate search engine web crawlers > crawling your site. > > Every time Google crawls mail.python.org, I get an unsubscribe > confirmation for Mailman-users. So far, I haven't had the energy to > try to stop these as they're easy enough to ignore. > > In your case, the web crawlers are just blindly submitting the > subscribe form from the listinfo page, and disallowing your listinfo > pages in a robots.txt will likely stop it. Why do the requests have actual email addresses and a bogus password / token in the request string, though? The IP doesn't have any RDNS, but is allocated to MSN, but I'd think a legitimate crawler would be more easily identifiable as such, and would only be following actual links. In this case we're getting repeated attempts to subscribe various addresses. Also, they're only hitting this list (which isn't even set to 'public'), out of all 2000 or so of our Mailman lists. w ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
