On 2020-08-21 at 09:23 +0200, Norbert Bollow via mailop wrote: > On Fri, 21 Aug 2020 10:03:48 +0300 Lena wrote: > > > > I have searched a few emails, but fail to see why they would be a > > > target. Maybe only a few of them are the real targets, with other > > > addresses being added in order to conceal those? > > > > I suspect that the bot is spamming random web-forms > > like various bots try to spam my guestbook with ads with links. > > If a bot sees an "email" field then it fills it with a random email > > address.
Nope. This is not a dumb bot filling guestbooks that found mailman subscribe forms. It is actually filling it correctly (password, confirmation...) and, as shown below, without even fetching the page containing the form first. > I'm seeing the same phenomenon. > > The email addresses don't seem to be entirely random though, they look > to me as if they come from a somewhat dated list of real email addresses > of real people (some of those email address by now being invalid). It seems a real list of email addresses. > For this reason I suspect that this may be done by someone whose > “business” is email spamming. > > Maybe the idea behind that bot is that filling in the "email" field > with a real-looking email address might lead to being granted read > access to mailing list archives which could then be scraped for email > addresses to increase the target list for the spammer's main spam runs? That's a good theory, but doesn't seem to hold. In such case, I would expect the attacker to use a single (or a few) email address, that is actually verified so it subscribes and can then access the subscriber list. Or at least for them to try logging in with the pending requests. What I see is that there were a few of axios requests of the mailman/listinfo on the morning of Aug 18 from 193.110.203.153 (DMIT Cloud Services) and 3.23.96.118 (Amazon). And after that the requests started. Just direct POSTs to the subscribe forms, no attempt to log in or anything else. On 2020-08-21 at 08:30 -0400, Chris wrote: > I'm more wondering whether someone (allegedly) whitehat is trying to > populate spamtraps. That would make no sense, imho. First, a whitehat wouldn't be using a thousand different ip addresses to subscribe. If they wanted to populate spamtraps, it wouldn't repeat the email addresses. And it wouldn't be wise to subscribe a spamtrap to a mailing list... Regards _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
