On 8/18/21 1:15 PM, David Gibbs via Mailman-Users wrote:
Folks:
Is anyone else seeing requests to their mailman install that look
something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname:
Jon Baron wrote:
>> Aug 18 15:10:16 2021 (31166) Hostile listname:
>> listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$:
>>
>> remote=52.34.76.65
>>
>> Basically, the list name is correct, but the added "__;!NV..." makes it
>> invalid.
I don't understand the terms you use. So I will not comment further on
this thread. "Web UI"? "Email"?
However, I did suggest using Google to find out more about
Proofpoint. All the information is there. They do have a goal. Whether
they achieve it, I do not know.
Jon
--
Jonathan Baron,
On 8/18/21 3:36 PM, Jon Baron wrote:
I'm pretty sure that this comes from Proofpoint's "URL Defense"
system.
Ah. OK.
But I don't understand what you mean by "hostile
listname" being "correct".
The listname before the garbage is correct.
I suggest running all messages through
On 8/18/21 11:34 PM, Stephen J. Turnbull wrote:
Is anyone else seeing requests to their mailman install that look
something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname:
listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$:
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote:
> Is anyone else seeing requests to their mailman install that look
> something like this:
>
> Aug 18 15:10:16 2021 (31166) Hostile listname:
>
I'm pretty sure that this comes from Proofpoint's "URL Defense"
system. (Google it.) But I don't understand what you mean by "hostile
listname" being "correct". What comes before the __ is usually a URL,
and there is also a __ BEFORE the url begins. If you use a graphical
mail client (like gmail),
On 8/18/2021 1:15 PM, David Gibbs via Mailman-Users wrote:
The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage.
I don't recognize the encoding, but that looks like someone is trying an SQL
injection attack. I could also be wrong.
z!