[Mailman-Users] Distributed mass subscribe attack?

Mark Sapiro mark at msapiro.net
Tue Aug 8 14:30:06 EDT 2017

On 08/08/2017 10:22 AM, David Gibbs wrote:
> Anyone else noticing a distributed mass subscribe attack going on their
> lists?
> I've noticed a massive number of attempts a small subset of email
> addresses, with modifiers (address+modifier at example.com), going on.
> It appears the address is valid ... so it appears to be some kind of hit
> job to flood someone's inbox.
> Luckily the address's are trivial to block using 'ban_list'.

I've seen this on mail.python.org in the past but not recently. Both the
form you mention and a local-part at gmail.com form with dots interspersed
in the local part (which gmail ignores). I agree that it appears to be
some kind of hit job to flood someone's inbox.

It is this kind of attack that motivated the GLOBAL_BAN_LIST feature in
MM 2.1.21.

What I've seen recently is massive non-member posts in chinese to
maulman-users at mailman3.org from addresses of the form
string_of_digits at qq.com and some at 163.com. After waking up to 2000+
held message notifications a while back, I now block these with a
Postfix header_checks rule

/^From:.*<.*[0-9]{4}.*@(qq|163)\.com>/ REJECT Go away you F*ing mail bomber

I am still seeing a few from various @163.com addresses, but I am now
(temporarily?) discarding non-member posts, so I only see them in logs
if I look.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list