[Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data

Mark Sapiro mark at msapiro.net
Tue Jun 10 02:01:19 CEST 2014

On 06/09/2014 04:11 PM, Rich Kulawiec wrote:
> This is a first-cut, mildly sloppy script that will try to match some
> patterns of interest that I've noticed in my "subscribe" log and that
> might be in yours.
> Here is what the last 10 lines of its output look like on my system:
> Jun 06 00:14:32 2014  ehkfioxlkrr <yujwjs at zwdxgc.com>
> Jun 06 13:23:16 2014  norchmecn <stydst at zdddmk.com>
> Jun 07 02:06:20 2014  eljult <qbprgi at wabtdh.com>
> Jun 07 13:21:20 2014  dvlevbpj <drksji at nlcvek.com>
> Jun 07 15:41:10 2014  sdbdelkv <mtpdky at ghazhc.com>
> Jun 07 16:17:10 2014  yqrebrgipo <ubnpwl at cgtnki.com>
> Jun 08 06:37:12 2014  cihjwn <soudms at bprryw.com>
> Jun 08 06:55:47 2014  ehxvwgrboo <iouwxm at mnaisa.com>
> Jun 08 23:47:58 2014  qqpluym <jpbcnw at qkvfdi.com>
> Jun 09 16:44:15 2014  mloepuj <figjdt at jjxlcu.com>
> This is forged gibberish, of course.
> I'm curious.  First, is anybody else seeing these?

Some people are.

> Second, does2.1.16 or later
> anyone have a theory as to their purpose?

They are spammers attempting to subscribe to your list(s) via POSTs to
the web subscribe CGI. Presumably if they successfully subscribe, they
will then spam the list.

If you have Mailman 2.1.16 or later, you can mitigate this by setting

SUBSCRIBE_FORM_SECRET = "Some site specific string"

in mm_cfg.py. See <https://bugs.launchpad.net/mailman/+bug/1082746>.

This is from the NEWS file:

There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
a dynamically generated, hidden hash in the listinfo subscribe form and
check it upon submission.  Setting this will prevent automated processes
(bots) from successfully POSTing web subscribes without first retrieving
and parsing the form from the listinfo page.  The form must also be
submitted no later than FORM_LIFETIME nor no earlier than
SUBSCRIBE_FORM_MIN_TIME after retrieval.  Note that enabling this will
break any static subscribe forms on your site.  See the description in
Defaults.py for more info.  (LP: #1082746)

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list