On 12/22/2016 04:05 PM, Jim Popovitch wrote: > > Just to be clear, the bots are doing a GET of the listinfo page, > extracting the token, and then (mis)forming the GET URL like this: > > 89.32.127.178 - - [22/Dec/2016:23:53:29 +0000] "GET > /mailman/listinfo/users HTTP/1.1" 200 2866 "-" "Mozilla/5.0 (Windows > NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" > 89.32.127.178 - - [22/Dec/2016:23:53:32 +0000] "GET > /subscribe/users?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&&sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en& > HTTP/1.1" 404 162 "http://netcoolusers.org/"; "Mozilla/5.0 (Windows NT > 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" > > I suspect, the bot is requesting ../subscribe and that nginx is just > striping the leading dots off the request (totally not sure about this > though).
I suspect that's correct. The bottom line however is that there are already botnets out there that are smart enough the do the right things to get past the checks of GETting the form first with the hidden token and delaying sufficiently before POSTing to the right URL. I can see that if your attackers get smarter, the real name check could be useful, but I'm not ready to add that as a feature. That could change if they successfully attack me, but that hasn't happened yet. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
