[Mailman-Users] Spam to "-request" address generating backscatter spam

Jim Popovitch jimpop at gmail.com
Thu Dec 22 18:01:37 EST 2016

On Thu, Dec 22, 2016 at 4:53 PM, Jim Popovitch <jimpop at gmail.com> wrote:
> On Tue, Dec 13, 2016 at 12:35 PM, Mark Sapiro <mark at msapiro.net> wrote:
>> Steve has answered most of this. I just want to add a couple of things.
>> With respect to web subscribes, several sites including python.org have
>> seen mail bomb attacks via the web subscribe interface.
>> These are subscribes via the web UI by distributed bots that are "smart"
>> enough to GET the form  and delay tens of seconds before POSTing it. The
>> most recent attacks have been multiple subscribes to multiple lists of
>> some gmail.com address with various permutations of dots (ignored by
>> gmail) interspersed in the local part. The most recent attack on
>> mail.python.org subscribed addresses that matched
>>   '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com
> I know the GLOBAL_BAN_LIST is for email addrs, but what would it take
> to implement the same (or some field validation logic) for the
> "fullname" field of the subscription page.   I'm still seeing a ton of
> subscribe spam attempts, and the fullname field is consistently not a
> text name.

I think i have a better solution, (but I'm not so sure how to do this
in Apache).  In Nginx you can use "limit_except PUT { deny  all; }"
to deny the spambot GET attempts.

-Jim P.

More information about the Mailman-Users mailing list