Petersen, Kirsten J - NET wrote:
Today I realized that all of the lists involved in this attack have their subscribe_policy set to just "require approval" rather "confirm" or "confirm and approve". So I think the theory that spammers were just trying to get on the lists to harvest member addresses is probably correct.
Most likely, they are hitting all your lists but not answering confirmation requests because the bots don't know how or the confirmation requests are going to invalid or spoofed addresses.
My folks are beating down my door for a solution, too, and I can't think of a good one. We host lists for the international community, so any measure I take that makes it harder for external people to subscribe will negatively impact intended use. I am going to advise my list admins to enable confirmation, which should discourage these attempts.
It seems this is a solution.
It also occurred to me that I could write a script to monitor the vette log and purge requests that look suspicious - mainly based on the same email address attempting to subscribe to multiple unrelated lists at the same time.
If anyone else has any bright ideas about this problem, I would love to hear it.
For some time, there has been a withlist script, discard_address.py, at http://www.msapiro.net/scripts/ (mirrored at http://fog.ccsf.cc.ca.us/~msapiro/scripts/) which would discard all subscription requests and help posts from a specific address. While this it probably not too useful here, I have just created a new discard_subs.py script available at the same place which will discard all held subscription requests older than N days (can be 0) for a list or all lists.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan