![](https://secure.gravatar.com/avatar/e8182135be0245df69df7ddf7f70856a.jpg?s=120&d=mm&r=g)
Hello,
I just noticed a lot of backscatter spam, my Mailman installation was starting to send subscription verifications to a lot of ALLCAPS@hotmail.comaddresses, on a test list that no one is supposed to be using.
I traced it to this site :
http://4478.a.hostable.me/vinabot/bommail/Boom.html
if you view source you will see that it opens a lot of iframes on 284 Mailman installations, and tries to auto-subscribe its victims email adresses to different lists (392 in total).
I have put the page HTML source as well as the list of targeted servers and lists in the attached zip file.
Do you know how to stop this efficiently?
-- Fil
![](https://secure.gravatar.com/avatar/e8182135be0245df69df7ddf7f70856a.jpg?s=120&d=mm&r=g)
The attachment was deleted, you can find it here:
targets: https://www.dropbox.com/s/d6ddmgx3iljubot/boom-backscatter-targets.txt zip containing the attacker's page source: https://www.dropbox.com/s/tlofz5wg8l8w47a/boom-backscatter.zip
-- Fil
On Thu, Nov 14, 2013 at 7:32 PM, Fil <fil@rezo.net> wrote:
![](https://secure.gravatar.com/avatar/fc598b357a52c3a9f442ee4a44c95306.jpg?s=120&d=mm&r=g)
On 14/11/13 18:32, Fil wrote:
One of our lists was being spammed with subscription requests and I eventually found the cause: the URL /mailman/subscribe was being requested a large number of times from a variety of IP addresses. These were logged by Apache to its access log (/var/log/httpd/access_log* on our CentOS 6 server running Mailman 2.1.14 built from source and the standard Apache httpd package). I searched the httpd logs for the last month to find the successful requests for /mailman/subscribe (with a 200 return code), picking out the referral URL and omitting valid requests containing part of our domain (nottingham), using the following pipeline:
grep 'mailman.subscribe.* 200 ' access_log* | sed 's/ 200 /#/' | cut -d'#' -f2 | cut -d' ' -f2 | grep -v nottingham | sort | uniq -c | sort -rn
The results were sorted in descending order of number of matches, so the worst offenders were at the top, including 5487 requests from http://vipserver88.com/member//check/boom/ and 1659 requests from http://4478.a.hostable.me/vinabot/bommail/Boom.html, which Fil mentioned above.
After realising that I don't want the Mailman subscribe URL to be called from a referring page which is not ours, I used the technique for preventing hotlinking of images from a website (http://httpd.apache.org/docs/2.2/rewrite/access.html#blocked-inline-images) and added this to the file /etc/httpd/conf.d/mailman.conf
# Prevent subscription request spam SetEnvIf Referer lists\.example\.com localreferer <Location /mailman/subscribe> Order deny,allow Deny from all Allow from env=localreferer </Location>
Replace 'lists\.example\.com' with the FQDN of your Mailman server. Now all the off-site /mailman/subscribe requests get a 403 forbidden return code.
Maybe this protection of /mailman/subscribe should be a standard part of the Apache configuration?
Are there any other Mailman URLs potentially open to misuse which ought to be similarly protected?
David
-- David Osborne Senior Systems Development Officer Systems and Security Team, Information Services University of Nottingham
![](https://secure.gravatar.com/avatar/e8182135be0245df69df7ddf7f70856a.jpg?s=120&d=mm&r=g)
The attachment was deleted, you can find it here:
targets: https://www.dropbox.com/s/d6ddmgx3iljubot/boom-backscatter-targets.txt zip containing the attacker's page source: https://www.dropbox.com/s/tlofz5wg8l8w47a/boom-backscatter.zip
-- Fil
On Thu, Nov 14, 2013 at 7:32 PM, Fil <fil@rezo.net> wrote:
![](https://secure.gravatar.com/avatar/fc598b357a52c3a9f442ee4a44c95306.jpg?s=120&d=mm&r=g)
On 14/11/13 18:32, Fil wrote:
One of our lists was being spammed with subscription requests and I eventually found the cause: the URL /mailman/subscribe was being requested a large number of times from a variety of IP addresses. These were logged by Apache to its access log (/var/log/httpd/access_log* on our CentOS 6 server running Mailman 2.1.14 built from source and the standard Apache httpd package). I searched the httpd logs for the last month to find the successful requests for /mailman/subscribe (with a 200 return code), picking out the referral URL and omitting valid requests containing part of our domain (nottingham), using the following pipeline:
grep 'mailman.subscribe.* 200 ' access_log* | sed 's/ 200 /#/' | cut -d'#' -f2 | cut -d' ' -f2 | grep -v nottingham | sort | uniq -c | sort -rn
The results were sorted in descending order of number of matches, so the worst offenders were at the top, including 5487 requests from http://vipserver88.com/member//check/boom/ and 1659 requests from http://4478.a.hostable.me/vinabot/bommail/Boom.html, which Fil mentioned above.
After realising that I don't want the Mailman subscribe URL to be called from a referring page which is not ours, I used the technique for preventing hotlinking of images from a website (http://httpd.apache.org/docs/2.2/rewrite/access.html#blocked-inline-images) and added this to the file /etc/httpd/conf.d/mailman.conf
# Prevent subscription request spam SetEnvIf Referer lists\.example\.com localreferer <Location /mailman/subscribe> Order deny,allow Deny from all Allow from env=localreferer </Location>
Replace 'lists\.example\.com' with the FQDN of your Mailman server. Now all the off-site /mailman/subscribe requests get a 403 forbidden return code.
Maybe this protection of /mailman/subscribe should be a standard part of the Apache configuration?
Are there any other Mailman URLs potentially open to misuse which ought to be similarly protected?
David
-- David Osborne Senior Systems Development Officer Systems and Security Team, Information Services University of Nottingham
participants (2)
-
David Osborne
-
Fil