[Mailman-Users] Mailman under attack
cczdao at unix.ccc.nottingham.ac.uk
Thu Dec 5 14:31:24 CET 2013
On 14/11/13 18:32, Fil wrote:
> I just noticed a lot of backscatter spam, my Mailman installation was
> starting to send subscription verifications to a lot of
> ALLCAPS at hotmail.comaddresses, on a test list that no one is supposed
> to be using.
> I traced it to this site :
> if you view source you will see that it opens a lot of iframes on 284
> Mailman installations, and tries to auto-subscribe its victims email
> adresses to different lists (392 in total).
> I have put the page HTML source as well as the list of targeted servers and
> lists in the attached zip file.
> Do you know how to stop this efficiently?
> -- Fil
One of our lists was being spammed with subscription requests and I
eventually found the cause: the URL /mailman/subscribe was being
requested a large number of times from a variety of IP addresses. These
were logged by Apache to its access log (/var/log/httpd/access_log* on
our CentOS 6 server running Mailman 2.1.14 built from source and the
standard Apache httpd package). I searched the httpd logs for the last
month to find the successful requests for /mailman/subscribe (with a 200
return code), picking out the referral URL and omitting valid requests
containing part of our domain (nottingham), using the following pipeline:
grep 'mailman.subscribe.* 200 ' access_log* | sed 's/ 200 /#/' | cut
-d'#' -f2 | cut -d' ' -f2 | grep -v nottingham | sort | uniq -c | sort -rn
The results were sorted in descending order of number of matches, so the
worst offenders were at the top, including 5487 requests from
http://vipserver88.com/member//check/boom/ and 1659 requests from
http://4478.a.hostable.me/vinabot/bommail/Boom.html, which Fil mentioned
After realising that I don't want the Mailman subscribe URL to be called
from a referring page which is not ours, I used the technique for
preventing hotlinking of images from a website
and added this to the file /etc/httpd/conf.d/mailman.conf
# Prevent subscription request spam
SetEnvIf Referer lists\.example\.com localreferer
Deny from all
Allow from env=localreferer
Replace 'lists\.example\.com' with the FQDN of your Mailman server.
Now all the off-site /mailman/subscribe requests get a 403 forbidden
Maybe this protection of /mailman/subscribe should be a standard part of
the Apache configuration?
Are there any other Mailman URLs potentially open to misuse which ought
to be similarly protected?
Senior Systems Development Officer
Systems and Security Team, Information Services
University of Nottingham
More information about the Mailman-Users