[Mailman-Users] odd address confirmation spam
mailman at veggiechinese.net
Mon Jul 22 22:54:02 CEST 2013
On Mon, Jul 22, 2013 at 09:31:03PM +0200, Ralf Hildebrandt wrote:
> * Will Yardley <mailman at veggiechinese.net>:
> > It seems someone is trying to forge-subscribe certain addresses (mostly
> > AOL / Yahoo / Gmail etc. addresses) on our Mailman install.
> Which version of mailman is that?
2.1.9. And yes, I'm aware that we need to upgrade, it's in progress, but
isn't possible immediately for complicated reasons. So, that's one
reason I'm writing in, just to make sure this isn't an attempt to
exploit a hole that's actually exploitable in this version.
On Mon, Jul 22, 2013 at 01:16:29PM -0700, Mark Sapiro wrote:
> On 07/22/2013 12:16 PM, Will Yardley wrote:
> > For example, (slightly sanitized, though the IP address is the real
> > one):
> > [19/Jul/2013:09:49:17 -0700] 18.104.22.168 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=TARGET at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587
> This very likely results from legitimate search engine web crawlers
> crawling your site.
> Every time Google crawls mail.python.org, I get an unsubscribe
> confirmation for Mailman-users. So far, I haven't had the energy to
> try to stop these as they're easy enough to ignore.
> In your case, the web crawlers are just blindly submitting the
> subscribe form from the listinfo page, and disallowing your listinfo
> pages in a robots.txt will likely stop it.
Why do the requests have actual email addresses and a bogus password /
token in the request string, though? The IP doesn't have any RDNS, but
is allocated to MSN, but I'd think a legitimate crawler would be more
easily identifiable as such, and would only be following actual links.
In this case we're getting repeated attempts to subscribe various
addresses. Also, they're only hitting this list (which isn't even set to
'public'), out of all 2000 or so of our Mailman lists.
More information about the Mailman-Users