[Mailman-Users] Mailman under attack

David Osborne cczdao at unix.ccc.nottingham.ac.uk
Thu Dec 5 14:31:24 CET 2013

On 14/11/13 18:32, Fil wrote:
> Hello,
> I just noticed a lot of backscatter spam, my Mailman installation was
> starting to send subscription verifications to a lot of
> ALLCAPS at hotmail.comaddresses, on a test list that no one is supposed
> to be using.
> I traced it to this site :
> http://4478.a.hostable.me/vinabot/bommail/Boom.html
> if you view source you will see that it opens a lot of iframes on 284
> Mailman installations, and tries to auto-subscribe its victims email
> adresses to different lists (392 in total).
> I have put the page HTML source as well as the list of targeted servers and
> lists in the attached zip file.
> Do you know how to stop this efficiently?
> -- Fil

One of our lists was being spammed with subscription requests and I 
eventually found the cause: the URL /mailman/subscribe was being 
requested a large number of times from a variety of IP addresses. These 
were logged by Apache to its access log (/var/log/httpd/access_log* on 
our CentOS 6 server running Mailman 2.1.14 built from source and the 
standard Apache httpd package). I searched the httpd logs for the last 
month to find the successful requests for /mailman/subscribe (with a 200 
return code), picking out the referral URL and omitting valid requests 
containing part of our domain (nottingham), using the following pipeline:

grep 'mailman.subscribe.* 200 ' access_log* | sed 's/ 200 /#/' | cut 
-d'#' -f2 | cut -d' ' -f2 | grep -v nottingham | sort | uniq -c | sort -rn

The results were sorted in descending order of number of matches, so the 
worst offenders were at the top, including 5487 requests from 
http://vipserver88.com/member//check/boom/ and 1659 requests from 
http://4478.a.hostable.me/vinabot/bommail/Boom.html, which Fil mentioned 

After realising that I don't want the Mailman subscribe URL to be called 
from a referring page which is not ours, I used the technique for 
preventing hotlinking of images from a website 
and added this to the file /etc/httpd/conf.d/mailman.conf

# Prevent subscription request spam
SetEnvIf Referer lists\.example\.com localreferer
<Location /mailman/subscribe>
     Order deny,allow
     Deny from all
     Allow from env=localreferer

Replace 'lists\.example\.com' with the FQDN of your Mailman server.
Now all the off-site /mailman/subscribe requests get a 403 forbidden 
return code.

Maybe this protection of /mailman/subscribe should be a standard part of 
the Apache configuration?

Are there any other Mailman URLs potentially open to misuse which ought 
to be similarly protected?


David Osborne
Senior Systems Development Officer
Systems and Security Team, Information Services
University of Nottingham

More information about the Mailman-Users mailing list