![](https://secure.gravatar.com/avatar/3978a8b63a4176f76121fae9de6595f7.jpg?s=120&d=mm&r=g)
Over the past couple of months, I've observed a series of attacks against Mailman that are likely related because they use the same tactic every time.
That tactic is to use Mailman's web interface to generate multiple subscription requests for multiple people. My guess is that the goal may be either (a) to harrass those people or (b) to get the outbound subscription confirmation requests from Mailman marked as spam (in mail systems which support that function) or (c) both.
To spot this: check your subscription logs for bursts of activity -- in particular, subscription requests for the same address to multiple lists (including multiple unrelated mailing lists), and in further particular, requests that are never ACK'd, AND, in further particular, requests that originate from network space unlikely to be populated by real users.
Of course I have no way of knowing if the instance I'm looking at is the only one being targeted or whether others are seeing this as well. On that point, it might be useful for those of you reading this to extract the networks below and use "grepcidr" or a similar tool to check them against your logs. That's part of my reason for writing this.
The other part is to share the lists of network allocations that I've firewalled out from ports 80 and 443; all of these participated in one or more attacks (and subsequently tried to particpate in others, but were blocked). You may want to preemptively drop these into your firewall(s) IF it turns out that other Mailman instances are also being targeted.
Here there are, in three groups:
Pnvgroup:
23.94.58.0/25 PNVGROUPLtd
23.94.58.128/25 PNVGROUPLtd
23.95.99.0/25 PNVGROUPLtd
107.172.18.0/25 PNVGROUPLtd
192.3.56.0/25 PNVGROUPLtd
192.3.56.128/25 PNVGROUPLtd
192.3.57.0/25 PNVGROUPLtd
192.3.57.128/25 PNVGROUPLtd
192.3.58.0/25 PNVGROUPLtd
192.3.58.128/25 PNVGROUPLtd
192.3.59.0/25 PNVGROUPLtd
198.12.72.128/25 PNVGROUPLtd
198.23.168.0/25 PNVGROUPLtd
198.23.168.128/25 PNVGROUPLtd
198.23.169.0/25 PNVGROUPLtd
198.23.170.0/25 PNVGROUPLtd
198.23.170.128/25 PNVGROUPLtd
198.23.171.0/25 PNVGROUPLtd
199.188.102.0/25 PNVGROUPLtd
Proxies-LLC:
108.165.184.0/22 PROXIES-LLC
108.165.188.0/22 PROXIES-LLC
108.165.184.0/22 PROXIES-LLC
75.102.24.0/23 PROXIES-LLC
75.102.8.0/23 PROXIES-LLC
Miscellaneous:
91.243.92.0/24 QualityNetworkCorp
91.243.94.0/24 QualityNetworkCorp
103.160.101.0/24 IRT-DURABLEDNS-AP
172.98.181.0/24 Braveway/PrivateCustomer
172.104.17.0/24 Linode (this is just a chunk of the network)
194.26.135.0/24 ChangWayTechnologiesCoLimited
194.33.191.0/25 VirtuoHoldingsInc
194.33.191.128/25 VirtuoHoldingsInc
---rsk
![](https://secure.gravatar.com/avatar/758bbd8def57d1cf0f85a265864907be.jpg?s=120&d=mm&r=g)
- Original message: - - - - - -
Hi Rich,
attacks against mailman usually come without a referer, so I have found the following approach to work:
I create a landing page for the mailing list that introduces the list, explains the signup process, and contains a button with a link to the list interface. Via the ".htaccess" file I ensure that the list interface itself can only be accessed if there is a referer that contains the domain of the landing page - any other access will causes a blank page to be served. Result: no spam.
The same approach also works with blogs and keeps search engines at bay. Humans can (and, if motivated, will) go beyond the landing page but machines will be blocked.
HTH
Ian
--
![](https://secure.gravatar.com/avatar/758bbd8def57d1cf0f85a265864907be.jpg?s=120&d=mm&r=g)
- Original message: - - - - - -
Hi Rich,
attacks against mailman usually come without a referer, so I have found the following approach to work:
I create a landing page for the mailing list that introduces the list, explains the signup process, and contains a button with a link to the list interface. Via the ".htaccess" file I ensure that the list interface itself can only be accessed if there is a referer that contains the domain of the landing page - any other access will causes a blank page to be served. Result: no spam.
The same approach also works with blogs and keeps search engines at bay. Humans can (and, if motivated, will) go beyond the landing page but machines will be blocked.
HTH
Ian
--
participants (2)
-
H Ian Zhang
-
Rich Kulawiec