Re: [mailop] Mailman confirmation email denial of service
On 2020-08-21 at 09:23 +0200, Norbert Bollow via mailop wrote: > On Fri, 21 Aug 2020 10:03:48 +0300 Lena wrote: > > > > I have searched a few emails, but fail to see why they would be a > > > target. Maybe only a few of them are the real targets, with other > > > addresses being added in order to conceal those? > > > > I suspect that the bot is spamming random web-forms > > like various bots try to spam my guestbook with ads with links. > > If a bot sees an "email" field then it fills it with a random email > > address. Nope. This is not a dumb bot filling guestbooks that found mailman subscribe forms. It is actually filling it correctly (password, confirmation...) and, as shown below, without even fetching the page containing the form first. > I'm seeing the same phenomenon. > > The email addresses don't seem to be entirely random though, they look > to me as if they come from a somewhat dated list of real email addresses > of real people (some of those email address by now being invalid). It seems a real list of email addresses. > For this reason I suspect that this may be done by someone whose > “business” is email spamming. > > Maybe the idea behind that bot is that filling in the "email" field > with a real-looking email address might lead to being granted read > access to mailing list archives which could then be scraped for email > addresses to increase the target list for the spammer's main spam runs? That's a good theory, but doesn't seem to hold. In such case, I would expect the attacker to use a single (or a few) email address, that is actually verified so it subscribes and can then access the subscriber list. Or at least for them to try logging in with the pending requests. What I see is that there were a few of axios requests of the mailman/listinfo on the morning of Aug 18 from 193.110.203.153 (DMIT Cloud Services) and 3.23.96.118 (Amazon). And after that the requests started. Just direct POSTs to the subscribe forms, no attempt to log in or anything else. On 2020-08-21 at 08:30 -0400, Chris wrote: > I'm more wondering whether someone (allegedly) whitehat is trying to > populate spamtraps. That would make no sense, imho. First, a whitehat wouldn't be using a thousand different ip addresses to subscribe. If they wanted to populate spamtraps, it wouldn't repeat the email addresses. And it wouldn't be wise to subscribe a spamtrap to a mailing list... Regards ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On 2020-08-21 03:23, Norbert Bollow via mailop wrote: Maybe the idea behind that bot is that filling in the "email" field with a real-looking email address might lead to being granted read access to mailing list archives which could then be scraped for email addresses to increase the target list for the spammer's main spam runs? I'm more wondering whether someone (allegedly) whitehat is trying to populate spamtraps. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On Fri, 21 Aug 2020 10:03:48 +0300 Lena--- via mailop wrote: > > I have searched a few emails, but fail to see why they would be a > > target. Maybe only a few of them are the real targets, with other > > addresses being added in order to conceal those? > > I suspect that the bot is spamming random web-forms > like various bots try to spam my guestbook with ads with links. > If a bot sees an "email" field then it fills it with a random email > address. I'm seeing the same phenomenon. The email addresses don't seem to be entirely random though, they look to me as if they come from a somewhat dated list of real email addresses of real people (some of those email address by now being invalid). For this reason I suspect that this may be done by someone whose “business” is email spamming. Maybe the idea behind that bot is that filling in the "email" field with a real-looking email address might lead to being granted read access to mailing list archives which could then be scraped for email addresses to increase the target list for the spammer's main spam runs? Greetings, Norbert ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
> I have searched a few emails, but fail to see why they would be a > target. Maybe only a few of them are the real targets, with other > addresses being added in order to conceal those? I suspect that the bot is spamming random web-forms like various bots try to spam my guestbook with ads with links. If a bot sees an "email" field then it fills it with a random email address. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On 2020-08-19 at 19:49 +0800, Philip Paeps via mailop wrote: > On 2020-08-19 17:51:51 (+0800), Andy Smith via mailop wrote: > > Since yesterday I've been seeing a large number of attempted > > subscriptions to all the public lists on one of my Mailman servers. > > There's so far been 160 attempted subscriptions for 69 unique email > > addresses. > > I see some of this on FreeBSD.org as well. Roughly the same magnitude > you're seeing. > > > Therefore I think it is an attack on these addresses. > > This has happened before... We have a hack in our webserver from June > 2018 when one specific address was being subscribed over and over and > over again to every single Mailman list on the internet. > > > All of the subscription requests are coming in with a UserAgent of > > "axios/0.19.2". I have for now blocked this in my web server: > > Since we're only seeing a couple of hundred of these so far, I'll hold > off adding yet another hack to our configuration. > > Thanks for the heads-up though. It's worth keeping an eye on these > things. We run an awful lot of mailing lists and it's not very > difficult for a script-kiddie to cause a flood of subscription > confirmations. > > Philip I was going to enable the 2018 mitigations... and it turns out it they were already active. Quite similar as reported, around here. It started subscribing lywlo...@gmail.com and lywlo...@gmail.com, then mmc49...@eoopy.com on multiple lists... a total of 221 emails so far, from 595 ip addresses... out of 601 attempts. Unlike in 2018, here each IP is doing a single subscription, the 6 cases with two subscriptions may have been errors... or the botnet is just so big that it is hard to be hit twice by the same IP. All of them with User-Agent axios/0.19.2, and password 123456789. $ while read email; do printf "%s" "$email" | md5sum; done < bademails.txt | cut -d\ -f 1 | sort 002e30ac2ab27d71e1537732bf5ec06a 01869f4f35ce0169312f3773497a29a4 02d759ac00b28334a5a27c7d4966fa0c 02edcda251d2bef9ff972d37e1b1a470 05ece2f3adfc85a71b784026e3ba5ef6 05f6395601d880499c8d074cb905e488 06ed53c37ed98e38c0e876e86eade551 0936c0d3b570f0845537de1eb9789a37 0fdfc7478c5ac8e6635b6eac845c86ec 10e07e9a1678d5d6a0cea12734bc2823 10ed518cc851aef9196a566d916961b6 1183d56764138d6dc62cc74eec9a571c 1339e82134c0da41a0d4e47e09ccfa11 150a67ba3a5e7a6a12ef70c45a24d189 166fcf0be322450a6431697b8824051e 1c9b9e0119c5ef975b69e9d13a63f6c9 1cfd2b74651e1c46b3d13cb38f11de30 1e37bafb524d678656f593b59240d9a4 2011f3d0d441fa7534126c5e6edd8e14 21345e3154d27a2b642410c6b85289ad 2286806547c7582aac75e037d564227e 23dccee843269d1dac84efe85d62e214 258ac25d939fc72cf35634b2773ff411 25ced9c6e47f90a2bd2d9ae4181f533f 2612d28cc89294aae069f3bdf4ae0bc7 2715a83b40bcf10d387c1add8bdb619f 27365a99b33910fed10d4304699b71aa 273b30472e9e7b0b59efb2573d9fb727 2751f0387dc5a6d75eacf544a075bfcb 285b450cc4d8eb088076eebb187ef915 28c418777878725215d280932f41ed47 2d57169596ea4ea49cbffb8dc8c91223 2dbafdfd2ea79d3ac3697daebda904b8 2e7d2f439f0d1ec2f1d9cc3ced65cf93 2f2017437f26632e41e0925a9b706b26 3030407a3a897cb79e2ed350866cc4f0 32568053ec7363187f4ec2dce9b2eecb 33e8f72c55972a3abd99ed6bbb275908 345cdc708b26d9c8f249e74384da 34b96e820067c0cfa56844279da3346b 34f2db2fbae6c6382102dd73444b4be6 3620b93fdf92223edaf36ee0d3dd7f79 373e1389bade3ef9bde30af1a2e4cd9e 3883f3370a534d9f51a4ad31c1b2fdf6 3adf1219508b9a69ef105624fb4a5d55 3afc3fa87ed45ced11359875d973ec30 3b8ff7c3f576f70adeedc38bb6570647 3c0cdcd022b28fae5a28f2c4ad799809 3c66cbd60de11f908732c7f095ee1b2a 3cb5d22552452b0148e87a3cb7c431f3 3daf65621edfa550913ba9f303bea6fc 3f329e034df78e15f13584e15255bb7a 3fbd6905b994a8b1908b2962afcd6a30 3ff6cc239738381c27a6f9cea546e779 40fdb2046825752098c490b0eecdf555 41470b171265f99895c6685b11047293 42cdb74a12513003d21e4f3411353f32 4412e075e9c3fd688456d4434418cadf 446364bc5884447e8b8aea233f7ae0bc 46939f2aaa3180a3c4d542d79f1ff828 47989c863bd591b7a8194eded00b0640 483030240284df5f3738a5375476182c 4a83ba5393ed329c6f3488cf8d872e61 4b1706c92ff7efb75fddbbccc1f20072 4c9778d8aa5bb9aaddcd6460d659a33a 4d0824627a77acfcf40cecbf90c66b2f 4d7fae798d142bef3b4d2ebb8df9e9b5 4f52792917af2ba8067344b275187ae3 4f88b267e125087b131a974de25eb39e 4fd4978b6fe1532e15c6065639f250f9 50629cf1e4bc58633f4f3448628819eb 510c89c867efa31d55354e7b4027c27f 5154726cd05db33ada39c0abbeec0103 51a4191cb35015b438325f64bd4b1d24 52c6674d6210a7fcb358a3369adb95f1 5402c9a8bcc42efa2667d3a43bd67078 54d12876511dcf424a55ba881b69cfa2 565afdcca629c972dbdb8a9e2198f4d6 56874f5e5aeb1b2c30987e0673cc4b28 56e4686325fd036bee6b088269d2ab8a 589e059fb25db3ecda9bfe76e08b3957 5aab3f1589ed4de4378c0d1782896f89 5ab5cec75772fb57216430e7af21f7f7 5d5689280c01513535af513a91414e57 5d8bb463bb35d5128c745f2a0c6be1ea 607cd521764bba22f60490c70a3e7d86 60ea5da2b15b5a6aa841daa02748c707 61ad1a9fa444ef82f3b69176a3ab 621ddceaf6597852c759972182c4f2b0 624d5a603eb66d76983c5a142141d13e 63315dede090d0a8b5d81f00fd706a2b 636e733b271e235f93ce7d6ccb884c5d 63fa3f8f27ea3071ece02172ba18ccf3 645ae31ebe6ee116
Re: [mailop] Mailman confirmation email denial of service
Hey, my initial check was Aug 18 09:50:53 2020 (7596) berlin: pending lywlo...@gmail.com 202.211.87.136 The IP comes from Japan with the same user agent. These were the next requests on my host: Aug 18 10:36:56 2020 (14780) kamikaze: pending fislisrb...@outlook.com 182.30.40.234 Aug 18 12:33:57 2020 (32629) kamikaze: pending mmc49...@eoopy.com 45.73.162.51 Aug 18 12:33:58 2020 (32634) kamikaze: pending mmc49...@eoopy.com 216.155.42.95 Aug 18 12:33:59 2020 (32635) kamikaze: pending mmc49...@eoopy.com 45.73.166.236 Aug 18 12:42:51 2020 (1734) kamikaze: pending mmc49...@eoopy.com 155.254.54.66 Aug 18 12:43:00 2020 (1748) berlin: pending mmc49...@eoopy.com 67.207.184.189 Aug 18 12:43:20 2020 (1749) berlin: pending mmc49...@eoopy.com 67.219.20.59 Aug 18 12:48:09 2020 (2497) kamikaze: pending mmc49...@eoopy.com 204.52.99.88 Aug 18 12:48:13 2020 (2505) kamikaze: pending mmc49...@eoopy.com 66.78.4.230 Aug 18 12:48:23 2020 (2513) kamikaze: pending mmc49...@eoopy.com 67.227.40.39 Aug 18 12:48:34 2020 (2517) science: pending mmc49...@eoopy.com 173.46.93.106 I looked up the user agent and it seems there is a javascript library Axios that can do HTTP requests und may be used with nodejs or from a browser. I am quite impressed by the many different IP addresses that are used and I wonder if something like this could be catched with XBL. Probably next time I will consider monitoring the number of pending subscription requests by the mailman log file and take down the mailman web interface until I could figure out what else to do. Cheers nosy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
After having thwarted additional attacks (thanks for the hint about SUBSCRIBE_FORM_SECRET!) I looked at our mailman logs to see if everything is quiet now, and to find patterns. Apparently the initial check was from a serbian IP address: Aug 18 10:01:55 2020 (8184) : pending mmc49...@eoopy.com 37.221.182.184 The mail address has md5sum 8161d22688eab8dd557aec1fd32192b7, so it's the same that you (Andy) saw 14 times, so it's likely that this address was the one used by the spammer to confirm that his scheme works. After that check, the other stupidly publicly advertised lists at our small site were tested with the same address, one was tested with another address at the same domain, and then a few minutes later the bot started to "register" victims. eoopy.com seems to be a domain used by 10minutemail.net to provide time-limited e-mail addresses. I don't think they would be willing or able to share information on who registered this mail address (it's all automated and like most anonymizing services they won't keep logs so LE can't force them to hand them over). Thinking up a specialized defense against this attack (just as keeping a list of such domains) is probably overkill, so this analysis is just here to possibly help understand what spammers do to circumvent anti-spam measures. We can't foresee what they come up with next, but we can react and harden our systems quickly. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
Hi, On Wed, Aug 19, 2020 at 07:53:43PM +0800, Philip Paeps via mailop wrote: > On 2020-08-19 18:24:30 (+0800), Andreas Schamanek via mailop wrote: > >BTW, Mailman mm_cfg.py option `SUBSCRIBE_FORM_SECRET` apparently mitigates > >the DoS, too. > > We've also had some success in the past with raising > SUBSCRIBE_FORM_MIN_TIME. Thanks both for these settings that I had overlooked. Cheers, Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On 2020-08-19 18:24:30 (+0800), Andreas Schamanek via mailop wrote: On Wed, 19 Aug 2020, at 09:51, Andy Smith via mailop wrote: Since yesterday I've been seeing a large number of attempted subscriptions to all the public lists on one of my Mailman servers. (...) I can confirm this for my servers from top to end including some of the hashes. BTW, Mailman mm_cfg.py option `SUBSCRIBE_FORM_SECRET` apparently mitigates the DoS, too. We've also had some success in the past with raising SUBSCRIBE_FORM_MIN_TIME. It may catch out some legitimate subscribers with short email addresses (and/or who type quickly) but we've never heard anyone complain. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On 2020-08-19 17:51:51 (+0800), Andy Smith via mailop wrote: Since yesterday I've been seeing a large number of attempted subscriptions to all the public lists on one of my Mailman servers. There's so far been 160 attempted subscriptions for 69 unique email addresses. I see some of this on FreeBSD.org as well. Roughly the same magnitude you're seeing. Therefore I think it is an attack on these addresses. This has happened before... We have a hack in our webserver from June 2018 when one specific address was being subscribed over and over and over again to every single Mailman list on the internet. All of the subscription requests are coming in with a UserAgent of "axios/0.19.2". I have for now blocked this in my web server: Since we're only seeing a couple of hundred of these so far, I'll hold off adding yet another hack to our configuration. Thanks for the heads-up though. It's worth keeping an eye on these things. We run an awful lot of mailing lists and it's not very difficult for a script-kiddie to cause a flood of subscription confirmations. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
Hello, seeing this here, too. But I did only receive a small number of requests (about 100 in the last day). Every IP I find in the logs connects only once to try to subscribe. The IP addresses are registered for 5 different providers in the US. Thanks for the UserAgent workaround. Cheers nosy -- * Marlen Caemmerer *Richard-Sorge-Str. 82 monoro * 10249 Berlin * * Tel: 0179/733 90 72 USt-ID: DE 252684276 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On Wed, 2020-08-19 at 12:24 +0200, Andreas Schamanek via mailop wrote: > On Wed, 19 Aug 2020, at 09:51, Andy Smith via mailop wrote: > > > Since yesterday I've been seeing a large number of attempted > > subscriptions to all the public lists on one of my Mailman servers. > > (...) > > I can confirm this for my servers from top to end including some of > the hashes. > > BTW, Mailman mm_cfg.py option `SUBSCRIBE_FORM_SECRET` apparently > mitigates the DoS, too. +1 to this. Also, fail2ban on subscription 404s in your web server logs. -Jim P. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
On Wed, 19 Aug 2020, at 09:51, Andy Smith via mailop wrote: Since yesterday I've been seeing a large number of attempted subscriptions to all the public lists on one of my Mailman servers. (...) I can confirm this for my servers from top to end including some of the hashes. BTW, Mailman mm_cfg.py option `SUBSCRIBE_FORM_SECRET` apparently mitigates the DoS, too. -- -- Andreas :-) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Mailman confirmation email denial of service
Am 19.08.20 um 11:51 schrieb Andy Smith via mailop: > Hi, > > Not sure if this is the best place to mention this, but… > > Since yesterday I've been seeing a large number of attempted > subscriptions to all the public lists on one of my Mailman servers. > There's so far been 160 attempted subscriptions for 69 unique email addresses. > > These addresses never complete the process to sign up, and indeed > email delivery to many of these addresses is currently temporarily > rejected as they are receiving emails at too high a rate. I've seen them too, apparently most are hosted with Colocation America (AS21769), some with RELIABLESITE if that's the right name (AS23470). Had to disable Mailman web access. The goal is apparently to spam the "subscribing" addresses through the Mailman responses which apparently include a "name" given by the bot which is most likely just a spam link. This kind of spam has been going on for a while using normal contact web forms, some of the Sendgrid spam was caused by this, too. Spamming through abuse of regular services instead of renting hosts or utilizing botnets directly seems to be a trend, maybe blocking dynamic IPs and spammer-friendly hosters does have an effect. However, since I reject dynamic IP and spammer-friendly hosting myself pretty reliably, it's possible that the residue of spam stuill getting through is of this different kind. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop