In the last few days we've seen several thousand bogus subscription
requests for various lists we host, send through the web interface. They
seem to mostly originate in China.
We see log entries such as /var/log/mailman/subscribe
Jan 11 20:50:30 2016 (27666) grsi-users: pending
hellocatboots+80339...@gmail.com 221.178.182.31
and in the webserver logs
221.178.182.31 - - [10/Jan/2016:03:27:18 -0800] "POST /mailman/subscribe/grsi-users
HTTP/1.1" 200
I'm not sure what the point is - a DoS attack on a few users, perhaps. I
see that gmail gives you infinite aliases, so that hellocatboots+80339132
is the same as hellocatboots+96529...@gmail.com
Since most of these seem to originate with one netblock where we have, I
believe, no legitimate users, I've added a Deny rule in httpd.conf.
I was wondering if other admins had seen this, and if there was a better
way to control it than blocking an ip range.
Apart from all the variants of hellocatboots, we've seen a lot of posts
for one unique user at kezukaya.com. The subscribe log shows hundreds of
pending requests, from which I infer that mailman has no mechanism to
track the fact that it already sent a "please confirm" message (we have
mailman-2.1.18 on Centos 5).
--
Andrew Daviel, TRIUMF, Canada
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
