[Mailman-Users] Subscription Form Spam -- It continues . . .
Matthew Saltzman
mjs at clemson.edu
Thu Oct 8 04:19:28 CEST 2015
On Wed, 2015-10-07 at 17:49 -0700, Mark Sapiro wrote:
> On 10/07/2015 08:15 AM, Rich Kulawiec wrote:
> >
> > There are multiple approaches to this:
> >
> > 1. Look at the logs. Find out where the subscriptions are coming
> > from,
> > and firewall out the appropriate network(s) or countries. (See
> > ipdeny.com
> > for country IP ranges.)
> >
> > or
> >
> > 2. If you only expect to receive subscriptions from one or a few
> > countries,
> > then firewall out the entire world and only allow connections from
> > that
> > small set.
> >
> > and/or
> >
> > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> > *all* inbound traffic from and *all* outbound traffic to those
> > ranges.
> > This achieves lossless compression. (This should be done whether
> > you
> > do 1 or 2 or neither. It's basic network self-defense.)
> >
> > and/or
>
>
> Except these come from botnets and the IPs are all over the world.
>
>
> >
> > 4. Collect all the forged subscriptions and have a chat with the
> > email
> > people at Gmail. It's possible that they can do something about
> > this
> > on their side. I can put you in touch with someone if need be.
>
>
> And Gmail has nothing to do with this. This is a DOS attack. There
> may
> be some intent to harass various gmail users with backscatter, but
> none
> of this originates from gmail and the addresses being subscribed may
> not
> even be valid gmail addresses, but if they are, I doubt their owners
> are
> more than victims.
>
> By globally banning the addresses at mail.python.org, we have no
> backscatter and we block subscription and only say so in the web
> response to the subscribe form submission. Thus whoever is behind
> this
> gains nothing and only causes us the web processing to process their
> GET
> and POST. It's hard to see why they continue to hammer us, but we see
> ever increasing numbers of these, 17341 on Oct 5, 17882 on Oct 6 and
> 19927 on Oct 7, CEST. These are the number of subscribe attempts that
> got far enough to be banned. Significant numbers are blocked via IP
> block lists and some fail because the POST comes too soon after the
> GET.
>
Based on Mark's advice, we banned the following regexps from
subscribing:
^.*\+\d{5, }@gmail \.com
^.*\+\d{5, }@usc \.edu
That might be a bit aggressive, potentially blocking a legitimate
address or two, but we haven't seen the spam since. (Note that there
was only one usc.edu address involved, and we haven't seen that once
since instituting the ban.)
# wc subscribe vette
12 132 1153 subscribe
82014 902233 10164693 vette
...and that's just today!
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
More information about the Mailman-Users
mailing list