Web requests with garbage at the end of the list name
Folks:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage.
Thanks!
David
I'm pretty sure that this comes from Proofpoint's "URL Defense" system. (Google it.) But I don't understand what you mean by "hostile listname" being "correct". What comes before the __ is usually a URL, and there is also a __ BEFORE the url begins. If you use a graphical mail client (like gmail), you don't see this extra junk, but if you click the url that you see, Proofpoint will check it to see if it is on a list of nasty sites. If you want to see the URL alone with a text client (like mutt), I suggest running all messages through .procmailrc with this recipe:
:0 f | /usr/bin/sed -e "s/__/ /g"
This will replace __ with spaces, leaving the url itself standing alone.
Jon
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote:
Folks:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage.
Thanks!
David
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
What log is that from? I don't recognize the format.
Jon Baron writes:
I'm pretty sure that this comes from Proofpoint's "URL Defense" system. (Google it.)
Argh.
But I don't understand what you mean by "hostile listname" being "correct".
He means that "midrange-l" is the name of an active list at his site, I'm pretty sure.
What comes before the __ is usually a URL, and there is also a __ BEFORE the url begins. If you use a graphical mail client (like gmail), [and] click the url that you see, Proofpoint will check it to see if it is on a list of nasty sites.
host(1) says the source or the request is AWS. :-/
None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates.
Steve
Jon Baron wrote:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
But I don't understand what you mean by "hostile listname" being "correct".
"midrange-l" is a correct name of an existing list.
"midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$" is not.
-thh
On 8/18/21 11:34 PM, Stephen J. Turnbull wrote:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
What log is that from? I don't recognize the format.
mischief
But I don't understand what you mean by "hostile listname" being "correct".
He means that "midrange-l" is the name of an active list at his site, I'm pretty sure.
Exactly correct.
host(1) says the source or the request is AWS. :-/
None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates.
These requests are coming from an external source. I'm not running proofpoint.
Not much I can do about it, I guess. Good to know the source of the requests though.
Not sure what proofpoint is trying to do. They are just getting errors.
Oh well.
Thanks for the info guys.
david
On 8/18/21 3:36 PM, Jon Baron wrote:
I'm pretty sure that this comes from Proofpoint's "URL Defense" system.
Ah. OK.
But I don't understand what you mean by "hostile listname" being "correct".
The listname before the garbage is correct.
I suggest running all messages through .procmailrc with this recipe:
The mangled list names are in the web UI, not email.
david
I don't understand the terms you use. So I will not comment further on this thread. "Web UI"? "Email"?
However, I did suggest using Google to find out more about Proofpoint. All the information is there. They do have a goal. Whether they achieve it, I do not know.
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
On 8/18/21 1:15 PM, David Gibbs via Mailman-Users wrote:
Folks:
Is anyone else seeing requests to their mailman install that look something like this:
Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65
Basically, the list name is correct, but the added "__;!NV..." makes it invalid.
A web request for a list with name 'midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$' was received from IP 52.34.76.65. I.e., something like http://example.com/mailman/listinfo/midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxs...
The listname is considered hostile because it contains characters not in the set mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS (default [-+_.=a-z0-9]).
This is not usually anything of concern. Brain dead web crawlers do things like this all the time. Check your web server logs for more info.
participants (6)
-
Carl Zwanzig -
David Gibbs -
Jon Baron -
Mark Sapiro -
Stephen J. Turnbull -
Thomas Hochstein