On Thu, Dec 22, 2016 at 6:55 PM, Mark Sapiro <m...@msapiro.net> wrote: > On 12/22/2016 03:38 PM, Jim Popovitch wrote: >> >> I'm seeing GET attempts like this: >> >> 77.247.181.165 - - [22/Dec/2016:23:30:10 +0000] "GET >> /subscribe/users?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&&sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en& >> HTTP/1.1" 404 162 "http://netcoolusers.org/"; "Mozilla/5.0 (Windows NT >> 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" > > > OK. I see how limiting the subscribe CGI to POST requests would stop > these, but I haven't seen any attacks like this. In the ones I've seen, > the bot GETs the form via listinfo and then delays and POSTs to > subscribe as described in the part of my post in this thread you didn't > quote.
Just to be clear, the bots are doing a GET of the listinfo page, extracting the token, and then (mis)forming the GET URL like this: 89.32.127.178 - - [22/Dec/2016:23:53:29 +0000] "GET /mailman/listinfo/users HTTP/1.1" 200 2866 "-" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" 89.32.127.178 - - [22/Dec/2016:23:53:32 +0000] "GET /subscribe/users?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&&sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en& HTTP/1.1" 404 162 "http://netcoolusers.org/"; "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" I suspect, the bot is requesting ../subscribe and that nginx is just striping the leading dots off the request (totally not sure about this though). -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
