[Mailman-Users] Subscription Form Spam -- It continues . . .

Mark Sapiro mark at msapiro.net
Thu Oct 8 02:49:28 CEST 2015 

On 10/07/2015 08:15 AM, Rich Kulawiec wrote:
> 
> There are multiple approaches to this:
> 
> 1.  Look at the logs.  Find out where the subscriptions are coming from,
> and firewall out the appropriate network(s) or countries.  (See ipdeny.com
> for country IP ranges.)
> 
> or
> 
> 2. If you only expect to receive subscriptions from one or a few countries,
> then firewall out the entire world and only allow connections from that
> small set.
> 
> and/or
> 
> 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> *all* inbound traffic from and *all* outbound traffic to those ranges.
> This achieves lossless compression.  (This should be done whether you
> do 1 or 2 or neither.  It's basic network self-defense.)
> 
> and/or


Except these come from botnets and the IPs are all over the world.


> 
> 4. Collect all the forged subscriptions and have a chat with the email
> people at Gmail.  It's possible that they can do something about this
> on their side.  I can put you in touch with someone if need be.


And Gmail has nothing to do with this. This is a DOS attack. There may
be some intent to harass various gmail users with backscatter, but none
of this originates from gmail and the addresses being subscribed may not
even be valid gmail addresses, but if they are, I doubt their owners are
more than victims.

By globally banning the addresses at mail.python.org, we have no
backscatter and we block subscription and only say so in the web
response to the subscribe form submission. Thus whoever is behind this
gains nothing and only causes us the web processing to process their GET
and POST. It's hard to see why they continue to hammer us, but we see
ever increasing numbers of these, 17341 on Oct 5, 17882 on Oct 6 and
19927 on Oct 7, CEST. These are the number of subscribe attempts that
got far enough to be banned. Significant numbers are blocked via IP
block lists and some fail because the POST comes too soon after the GET.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list