Bogus/forged subscription attempts: request for comments and possibly data
If you (Mailman site operators) have a spare moment, please try running this:
------------cut here-------------- #!/bin/sh cd /var/local/mailman/logs
egrep "pending [a-z]+ <[a-z]+@[a-z]+\.com>" subscribe
| egrep -v "@gmail.com"
| egrep -v "@hotmail.com"
| egrep -v "@msn.com"
| egrep -v "@aol.com"
| egrep -v "@yahoo.com"
| sed -e "s/(.*pending//"
------------cut here--------------
This is a first-cut, mildly sloppy script that will try to match some patterns of interest that I've noticed in my "subscribe" log and that might be in yours. The egrep clauses are in there to throw away data not of interest; the sed snips off the mailing list name and some other irrelevancies.
Here is what the last 10 lines of its output look like on my system:
Jun 06 00:14:32 2014 ehkfioxlkrr <yujwjs@zwdxgc.com> 62.210.226.131 Jun 06 13:23:16 2014 norchmecn <stydst@zdddmk.com> 86.51.26.20 Jun 07 02:06:20 2014 eljult <qbprgi@wabtdh.com> 86.51.26.11 Jun 07 13:21:20 2014 dvlevbpj <drksji@nlcvek.com> 210.14.138.102 Jun 07 15:41:10 2014 sdbdelkv <mtpdky@ghazhc.com> 86.51.26.18 Jun 07 16:17:10 2014 yqrebrgipo <ubnpwl@cgtnki.com> 86.51.26.20 Jun 08 06:37:12 2014 cihjwn <soudms@bprryw.com> 202.143.148.58 Jun 08 06:55:47 2014 ehxvwgrboo <iouwxm@mnaisa.com> 86.51.26.21 Jun 08 23:47:58 2014 qqpluym <jpbcnw@qkvfdi.com> 190.14.219.166 Jun 09 16:44:15 2014 mloepuj <figjdt@jjxlcu.com> 172.245.142.194
This is forged gibberish, of course. The user real name is always a lowercase alpha string. The email address is also, both LHS and RHS, and the TLD is always .com. (Hence the regexp in the first egrep.)
I'm curious. First, is anybody else seeing these? Second, does anyone have a theory as to their purpose? And third, is there any value in combining data to see if patterns emerge? (I have some privacy concerns about that last one, since real email addresses might leak through, so I suspect if we decided to do that, it would be best to remove everything but the timestamp and IP address. I doubt the gibberish has any real explanatory value anyway.)
---rsk
On 06/09/2014 04:11 PM, Rich Kulawiec wrote:
This is a first-cut, mildly sloppy script that will try to match some patterns of interest that I've noticed in my "subscribe" log and that might be in yours.
...
Here is what the last 10 lines of its output look like on my system:
Jun 06 00:14:32 2014 ehkfioxlkrr <yujwjs@zwdxgc.com> 62.210.226.131 Jun 06 13:23:16 2014 norchmecn <stydst@zdddmk.com> 86.51.26.20 Jun 07 02:06:20 2014 eljult <qbprgi@wabtdh.com> 86.51.26.11 Jun 07 13:21:20 2014 dvlevbpj <drksji@nlcvek.com> 210.14.138.102 Jun 07 15:41:10 2014 sdbdelkv <mtpdky@ghazhc.com> 86.51.26.18 Jun 07 16:17:10 2014 yqrebrgipo <ubnpwl@cgtnki.com> 86.51.26.20 Jun 08 06:37:12 2014 cihjwn <soudms@bprryw.com> 202.143.148.58 Jun 08 06:55:47 2014 ehxvwgrboo <iouwxm@mnaisa.com> 86.51.26.21 Jun 08 23:47:58 2014 qqpluym <jpbcnw@qkvfdi.com> 190.14.219.166 Jun 09 16:44:15 2014 mloepuj <figjdt@jjxlcu.com> 172.245.142.194
This is forged gibberish, of course.
...
I'm curious. First, is anybody else seeing these?
Some people are.
Second, does2.1.16 or later anyone have a theory as to their purpose?
They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list.
If you have Mailman 2.1.16 or later, you can mitigate this by setting
SUBSCRIBE_FORM_SECRET = "Some site specific string"
in mm_cfg.py. See <https://bugs.launchpad.net/mailman/+bug/1082746>.
This is from the NEWS file:
There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put a dynamically generated, hidden hash in the listinfo subscribe form and check it upon submission. Setting this will prevent automated processes (bots) from successfully POSTing web subscribes without first retrieving and parsing the form from the listinfo page. The form must also be submitted no later than FORM_LIFETIME nor no earlier than SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will break any static subscribe forms on your site. See the description in Defaults.py for more info. (LP: #1082746)
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro <mark@msapiro.net> wrote:
They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list.
If you have Mailman 2.1.16 or later, you can mitigate this by setting
SUBSCRIBE_FORM_SECRET = "Some site specific string"
Another option might be using fail2ban. Almost all of my attackers come from the same few addresses in Vietnam. A few black hole routes and they were history. I haven't bothered with fail2ban yet, but it probably is a reasonable option.
(Mine all have ALLCAPS@ addresses.)
Perry
Perry E. Metzger perry@piermont.com
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro <mark@msapiro.net> wrote:
They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list.
BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip.
Perry
Perry E. Metzger perry@piermont.com
Who said spamming has to be logical? I once read that spammers often use outdated, stolen, spamming software that spams in ways that were obsolete years ago.
Peter Shute
-----Original Message----- From: Mailman-Users [mailto:mailman-users-bounces+pshute=nuw.org.au@python.org] On Behalf Of Perry E. Metzger Sent: Tuesday, 10 June 2014 11:49 AM To: Mark Sapiro Cc: mailman-users@python.org Subject: Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro <mark@msapiro.net> wrote:
They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list.
BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip.
Perry
Perry E. Metzger perry@piermont.com
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/pshute%4 0nuw.org.au
Perry E. Metzger writes:
BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip.
Spammers are generally greedy but not bright?
BTW, to answer Rick's question, yes, I'm seeing them too, in the all- lowercase form, on some but not all lists. I'M not sure why they pick the lists they do.
On Tue, 10 Jun 2014 11:48:49 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
Perry E. Metzger writes:
BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip.
Spammers are generally greedy but not bright?
Spammers do this work full time to feed themselves. Just as you get up in the morning and go to your office, they get up every morning and figure out their next step to keep the money coming in -- their families depend on it.
They rarely do anything that doesn't work -- if they do, they end up without any money coming in with which to support themselves. There have been significant academic studies of the market, and they indicate that your portrayal isn't accurate.
I would presume that if you don't understand what they're doing, it isn't because it is completely irrational, but rather because you don't get exactly what they're attempting.
Perry
Perry E. Metzger perry@piermont.com
Perry E. Metzger writes:
have been significant academic studies of the market, and they indicate that your portrayal isn't accurate.
I was incautious; "smart" spammers go back at least to Canter and Siegel. What I should have written was "spammers are greedy, but many aren't too smart."
I don't do such studies myself, but my colleagues do a lot of those studies for various markets. What those studies invariably show is that (1) the most profitable businesses generally are reasonably smart -- getting to the top may have been a matter of luck but staying there takes work and some smarts, and (2) there is usually a large fringe of "noise traders", agents who are doing pretty random things. Some of the latter can get big enough to be noticed before their bubbles burst.
I would presume that if you don't understand what they're doing, it isn't because it is completely irrational, but rather because you don't get exactly what they're attempting.
That's possible. Nevertheless I suspect that there are quite a few out there who are doing things that make sense only to themselves and will disappear in unprofitability (although some may be deliberately random, as in "fuzzer"-style software testing).
Either way, though, some spammer behavior is inexplicable and it's probably not worth trying too hard to figure it out.
Steve
At Mon, 9 Jun 2014 21:48:38 -0400 "Perry E. Metzger" <perry@piermont.com> wrote:
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro <mark@msapiro.net> wrote:
They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list.
BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip.
It depends. Some 'spammers' use scripts that seek out <form ... method="post" ..> tags and then issue POST requests to the action= attribute. In some cases this results in 'posting' content of some sort to web sites (eg comment / forum spam). Or it generates E-Mails to someone who might respond to the content. In other cases it is a form of denial of service attack, overwhelming the server. In some cases, it is totally 'mindless', eg generated data using field names as a guide as to what to generate: such as random E-Mail addresses for an field with a name like 'email', and so on.
Perry
-- Robert Heller -- 978-544-6933 / heller@deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments
participants (6)
-
Mark Sapiro -
Perry E. Metzger -
Peter Shute -
Rich Kulawiec -
Robert Heller -
Stephen J. Turnbull