[Mailman-Users] Mailman under attack

David Osborne cczdao at unix.ccc.nottingham.ac.uk
Thu Dec 5 14:31:24 CET 2013 

On 14/11/13 18:32, Fil wrote:
> Hello,
>
> I just noticed a lot of backscatter spam, my Mailman installation was
> starting to send subscription verifications to a lot of
> ALLCAPS at hotmail.comaddresses, on a test list that no one is supposed
> to be using.
>
> I traced it to this site :
>
> http://4478.a.hostable.me/vinabot/bommail/Boom.html
>
> if you view source you will see that it opens a lot of iframes on 284
> Mailman installations, and tries to auto-subscribe its victims email
> adresses to different lists (392 in total).
>
> I have put the page HTML source as well as the list of targeted servers and
> lists in the attached zip file.
>
> Do you know how to stop this efficiently?
>
> -- Fil

One of our lists was being spammed with subscription requests and I 
eventually found the cause: the URL /mailman/subscribe was being 
requested a large number of times from a variety of IP addresses. These 
were logged by Apache to its access log (/var/log/httpd/access_log* on 
our CentOS 6 server running Mailman 2.1.14 built from source and the 
standard Apache httpd package). I searched the httpd logs for the last 
month to find the successful requests for /mailman/subscribe (with a 200 
return code), picking out the referral URL and omitting valid requests 
containing part of our domain (nottingham), using the following pipeline:

grep 'mailman.subscribe.* 200 ' access_log* | sed 's/ 200 /#/' | cut 
-d'#' -f2 | cut -d' ' -f2 | grep -v nottingham | sort | uniq -c | sort -rn

The results were sorted in descending order of number of matches, so the 
worst offenders were at the top, including 5487 requests from 
http://vipserver88.com/member//check/boom/ and 1659 requests from 
http://4478.a.hostable.me/vinabot/bommail/Boom.html, which Fil mentioned 
above.

After realising that I don't want the Mailman subscribe URL to be called 
from a referring page which is not ours, I used the technique for 
preventing hotlinking of images from a website 
(http://httpd.apache.org/docs/2.2/rewrite/access.html#blocked-inline-images) 
and added this to the file /etc/httpd/conf.d/mailman.conf

# Prevent subscription request spam
SetEnvIf Referer lists\.example\.com localreferer
<Location /mailman/subscribe>
     Order deny,allow
     Deny from all
     Allow from env=localreferer
</Location>

Replace 'lists\.example\.com' with the FQDN of your Mailman server.
Now all the off-site /mailman/subscribe requests get a 403 forbidden 
return code.

Maybe this protection of /mailman/subscribe should be a standard part of 
the Apache configuration?

Are there any other Mailman URLs potentially open to misuse which ought 
to be similarly protected?

David

-- 
David Osborne
Senior Systems Development Officer
Systems and Security Team, Information Services
University of Nottingham

More information about the Mailman-Users mailing list