[Mailman-Users] Subscription Form Spam -- It continues . . .

Thu Oct 8 04:19:28 CEST 2015

On Wed, 2015-10-07 at 17:49 -0700, Mark Sapiro wrote:
> On 10/07/2015 08:15 AM, Rich Kulawiec wrote:
> > 
> > There are multiple approaches to this:
> > 
> > 1.  Look at the logs.  Find out where the subscriptions are coming
> > from,
> > and firewall out the appropriate network(s) or countries.  (See
> > ipdeny.com
> > for country IP ranges.)
> > 
> > or
> > 
> > 2. If you only expect to receive subscriptions from one or a few
> > countries,
> > then firewall out the entire world and only allow connections from
> > that
> > small set.
> > 
> > and/or
> > 
> > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> > *all* inbound traffic from and *all* outbound traffic to those
> > ranges.
> > This achieves lossless compression.  (This should be done whether
> > you
> > do 1 or 2 or neither.  It's basic network self-defense.)
> > 
> > and/or
> 
> 
> Except these come from botnets and the IPs are all over the world.
> 
> 
> > 
> > 4. Collect all the forged subscriptions and have a chat with the
> > email
> > people at Gmail.  It's possible that they can do something about
> > this
> > on their side.  I can put you in touch with someone if need be.
> 
> 
> And Gmail has nothing to do with this. This is a DOS attack. There
> may
> be some intent to harass various gmail users with backscatter, but
> none
> of this originates from gmail and the addresses being subscribed may
> not
> even be valid gmail addresses, but if they are, I doubt their owners
> are
> more than victims.
> 
> By globally banning the addresses at mail.python.org, we have no
> backscatter and we block subscription and only say so in the web
> response to the subscribe form submission. Thus whoever is behind
> this
> gains nothing and only causes us the web processing to process their
> GET
> and POST. It's hard to see why they continue to hammer us, but we see
> ever increasing numbers of these, 17341 on Oct 5, 17882 on Oct 6 and
> 19927 on Oct 7, CEST. These are the number of subscribe attempts that
> got far enough to be banned. Significant numbers are blocked via IP
> block lists and some fail because the POST comes too soon after the
> GET.
> 

Based on Mark's advice, we banned the following regexps from
subscribing:

    ^.*\+\d{5,    }@gmail    \.com
    ^.*\+\d{5,    }@usc    \.edu

That might be a bit aggressive, potentially blocking a legitimate
address or two, but we haven't seen the spam since. (Note that there
was only one usc.edu address involved, and we haven't seen that once
since instituting the ban.)

    # wc subscribe vette
          12      132     1153 subscribe
       82014   902233 10164693 vette

...and that's just today!

-- 
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu