[Mailman-Users] odd address confirmation spam
Will Yardley
mailman at veggiechinese.net
Mon Jul 22 21:16:48 CEST 2013
It seems someone is trying to forge-subscribe certain addresses (mostly
AOL / Yahoo / Gmail etc. addresses) on our Mailman install.
For example, (slightly sanitized, though the IP address is the real one):
[19/Jul/2013:09:49:17 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=TARGET at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587
[19/Jul/2013:09:49:17 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=TARGET at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587
[19/Jul/2013:09:49:43 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=TARGET at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587
[19/Jul/2013:09:55:50 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=TARGET at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587
[19/Jul/2013:09:56:05 -0700] 137.117.103.83 TLSv1 RC4-SHA "GET /mailman/subscribe/listname?email=TARGET at EXAMPLE.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe HTTP/1.1" 1587
The password / confirmation token are the same in each case, so doesn't
seem like they're trying to guess those.
So far, this hasn't resulted in any actual subscriptions, nor is there
any spam content in the confirmation message that'se sent to the
end-user. Any idea what they might be trying to accomplish? They only
seem to have been targeting one of the lists on the machine (the list
has several thousand).
Does this correspond to any known exploits for older versions of
Mailman?
w
More information about the Mailman-Users
mailing list