[Mailman-Users] Distributed mass subscribe attack?
Mark Sapiro
mark at msapiro.net
Tue Aug 8 14:30:06 EDT 2017
On 08/08/2017 10:22 AM, David Gibbs wrote:
>
> Anyone else noticing a distributed mass subscribe attack going on their
> lists?
>
> I've noticed a massive number of attempts a small subset of email
> addresses, with modifiers (address+modifier at example.com), going on.
>
> It appears the address is valid ... so it appears to be some kind of hit
> job to flood someone's inbox.
>
> Luckily the address's are trivial to block using 'ban_list'.
I've seen this on mail.python.org in the past but not recently. Both the
form you mention and a local-part at gmail.com form with dots interspersed
in the local part (which gmail ignores). I agree that it appears to be
some kind of hit job to flood someone's inbox.
It is this kind of attack that motivated the GLOBAL_BAN_LIST feature in
MM 2.1.21.
What I've seen recently is massive non-member posts in chinese to
maulman-users at mailman3.org from addresses of the form
string_of_digits at qq.com and some at 163.com. After waking up to 2000+
held message notifications a while back, I now block these with a
Postfix header_checks rule
/^From:.*<.*[0-9]{4}.*@(qq|163)\.com>/ REJECT Go away you F*ing mail bomber
I am still seeing a few from various @163.com addresses, but I am now
(temporarily?) discarding non-member posts, so I only see them in logs
if I look.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list