On 8/8/2017 12:22 PM, David Gibbs wrote: > Anyone else noticing a distributed mass subscribe attack going on > their lists? > > I've noticed a massive number of attempts a small subset of email > addresses, with modifiers (address+modif...@example.com), going on. > > It appears the address is valid ... so it appears to be some kind of > hit job to flood someone's inbox.
FWIW: I did a bit of hacking (super simple) and think I've found a way to thwart the attempt (at least on my server). It appears that the bot that's doing the attack first gets the subscribe form, so it can retrieve the sub_form_token value, before it does a POST to do the subscribe. I changed the subscribe & listinfo scripts to use a different name for the sub_form_token field. Something unique to my system. I've seen a lot of GETS & POSTS from the hosts that were doing the attack and no subscribe's logged. david David, I forgot to mention I’m also working on a modsecurity rule to look at all POSTs and reject if they contain an email address with a + sign. — Andy ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
