Web requests with garbage at the end of the list name
Folks:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage.
Thanks!
David
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
I'm pretty sure that this comes from Proofpoint's "URL Defense" system. (Google it.) But I don't understand what you mean by "hostile listname" being "correct". What comes before the __ is usually a URL, and there is also a __ BEFORE the url begins. If you use a graphical mail client (like gmail), you don't see this extra junk, but if you click the url that you see, Proofpoint will check it to see if it is on a list of nasty sites. If you want to see the URL alone with a text client (like mutt), I suggest running all messages through .procmailrc with this recipe:
:0 f | /usr/bin/sed -e "s/__/ /g"
This will replace __ with spaces, leaving the url itself standing alone.
Jon
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote:
Folks:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage.
Thanks!
David
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
-- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
What log is that from? I don't recognize the format.
Jon Baron writes:
I'm pretty sure that this comes from Proofpoint's "URL Defense" system. (Google it.)
Argh.
But I don't understand what you mean by "hostile listname" being "correct".
He means that "midrange-l" is the name of an active list at his site, I'm pretty sure.
What comes before the __ is usually a URL, and there is also a __ BEFORE the url begins. If you use a graphical mail client (like gmail), [and] click the url that you see, Proofpoint will check it to see if it is on a list of nasty sites.
host(1) says the source or the request is AWS. :-/
None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates.
Steve
On 8/18/21 11:34 PM, Stephen J. Turnbull wrote:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
What log is that from? I don't recognize the format.
mischief
But I don't understand what you mean by "hostile listname" being "correct".
He means that "midrange-l" is the name of an active list at his site, I'm pretty sure.
Exactly correct.
host(1) says the source or the request is AWS. :-/
None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates.
These requests are coming from an external source. I'm not running proofpoint.
Not much I can do about it, I guess. Good to know the source of the requests though.
Not sure what proofpoint is trying to do. They are just getting errors.
Oh well.
Thanks for the info guys.
david
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
Jon Baron wrote:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
But I don't understand what you mean by "hostile listname" being "correct".
"midrange-l" is a correct name of an existing list.
"midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$" is not.
-thh
On 8/18/21 3:36 PM, Jon Baron wrote:
I'm pretty sure that this comes from Proofpoint's "URL Defense" system.
Ah. OK.
But I don't understand what you mean by "hostile listname" being "correct".
The listname before the garbage is correct.
I suggest running all messages through .procmailrc with this recipe:
The mangled list names are in the web UI, not email.
david
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
I don't understand the terms you use. So I will not comment further on this thread. "Web UI"? "Email"?
However, I did suggest using Google to find out more about Proofpoint. All the information is there. They do have a goal. Whether they achieve it, I do not know.
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
On 8/18/21 1:15 PM, David Gibbs via Mailman-Users wrote:
Folks:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
A web request for a list with name 'midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$' was received from IP 52.34.76.65. I.e., something like http://example.com/mailman/listinfo/midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxs...
The listname is considered hostile because it contains characters not in the set mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS (default [-+_.=a-z0-9]).
This is not usually anything of concern. Brain dead web crawlers do things like this all the time. Check your web server logs for more info.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (6)
-
Carl Zwanzig
-
David Gibbs
-
Jon Baron
-
Mark Sapiro
-
Stephen J. Turnbull
-
Thomas Hochstein