[Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
mark at msapiro.net
Tue Jun 10 02:01:19 CEST 2014
On 06/09/2014 04:11 PM, Rich Kulawiec wrote:
> This is a first-cut, mildly sloppy script that will try to match some
> patterns of interest that I've noticed in my "subscribe" log and that
> might be in yours.
> Here is what the last 10 lines of its output look like on my system:
> Jun 06 00:14:32 2014 ehkfioxlkrr <yujwjs at zwdxgc.com> 184.108.40.206
> Jun 06 13:23:16 2014 norchmecn <stydst at zdddmk.com> 220.127.116.11
> Jun 07 02:06:20 2014 eljult <qbprgi at wabtdh.com> 18.104.22.168
> Jun 07 13:21:20 2014 dvlevbpj <drksji at nlcvek.com> 22.214.171.124
> Jun 07 15:41:10 2014 sdbdelkv <mtpdky at ghazhc.com> 126.96.36.199
> Jun 07 16:17:10 2014 yqrebrgipo <ubnpwl at cgtnki.com> 188.8.131.52
> Jun 08 06:37:12 2014 cihjwn <soudms at bprryw.com> 184.108.40.206
> Jun 08 06:55:47 2014 ehxvwgrboo <iouwxm at mnaisa.com> 220.127.116.11
> Jun 08 23:47:58 2014 qqpluym <jpbcnw at qkvfdi.com> 18.104.22.168
> Jun 09 16:44:15 2014 mloepuj <figjdt at jjxlcu.com> 22.214.171.124
> This is forged gibberish, of course.
> I'm curious. First, is anybody else seeing these?
Some people are.
> Second, does2.1.16 or later
> anyone have a theory as to their purpose?
They are spammers attempting to subscribe to your list(s) via POSTs to
the web subscribe CGI. Presumably if they successfully subscribe, they
will then spam the list.
If you have Mailman 2.1.16 or later, you can mitigate this by setting
SUBSCRIBE_FORM_SECRET = "Some site specific string"
in mm_cfg.py. See <https://bugs.launchpad.net/mailman/+bug/1082746>.
This is from the NEWS file:
There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
a dynamically generated, hidden hash in the listinfo subscribe form and
check it upon submission. Setting this will prevent automated processes
(bots) from successfully POSTing web subscribes without first retrieving
and parsing the form from the listinfo page. The form must also be
submitted no later than FORM_LIFETIME nor no earlier than
SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will
break any static subscribe forms on your site. See the description in
Defaults.py for more info. (LP: #1082746)
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users