[Mailman-Users] odd address confirmation spam

Mark Sapiro mark at msapiro.net
Mon Jul 22 23:15:03 CEST 2013

On 07/22/2013 01:54 PM, Will Yardley wrote:
> On Mon, Jul 22, 2013 at 09:31:03PM +0200, Ralf Hildebrandt wrote:
>> Which version of mailman is that?
> 2.1.9. And yes, I'm aware that we need to upgrade, it's in progress, but
> isn't possible immediately for complicated reasons. So, that's one
> reason I'm writing in, just to make sure this isn't an attempt to
> exploit a hole that's actually exploitable in this version.

There is a new feature in 2.1.16 (The second release candidate is
available final due in September)

- There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
  a dynamically generated, hidden hash in the listinfo subscribe form and
  check it upon submission.  Setting this will prevent automated processes
  (bots) from successfully POSTing web subscribes without first retrieving
  and parsing the form from the listinfo page.  The form must also be
  submitted no later than FORM_LIFETIME nor no earlier than
  SUBSCRIBE_FORM_MIN_TIME after retrieval.  Note that enabling this will
  break any static subscribe forms on your site.  See the description in
  Defaults.py for more info.  (LP: #1082746)

If my 'legitimate web crawler' theory is correct, this feature won't help.

> On Mon, Jul 22, 2013 at 01:16:29PM -0700, Mark Sapiro wrote:
>> In your case, the web crawlers are just blindly submitting the
>> subscribe form from the listinfo page, and disallowing your listinfo
>> pages in a robots.txt will likely stop it.
> Why do the requests have actual email addresses and a bogus password /
> token in the request string, though? The IP doesn't have any RDNS, but
> is allocated to MSN, but I'd think a legitimate crawler would be more
> easily identifiable as such, and would only be following actual links.
> In this case we're getting repeated attempts to subscribe various
> addresses. Also, they're only hitting this list (which isn't even set to
> 'public'), out of all 2000 or so of our Mailman lists.

Is the email address always the same?

I can't explain how web crawlers work or why they do what they do, but
I'm not discounting them. What's in your web server logs for the
identity of the agent that submitted these requests? If you do a bing
search for this listinfo page, do you get any hits?

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list