[Mailman-Users] Subscription Form Spam -- It continues . . .
Stephen J. Turnbull
stephen at xemacs.org
Thu Oct 8 06:42:07 CEST 2015
Mark Sapiro writes:
> > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> > *all* inbound traffic from and *all* outbound traffic to those ranges.
> > This achieves lossless compression. (This should be done whether you
> > do 1 or 2 or neither. It's basic network self-defense.)
> >
> > and/or
>
> Except these come from botnets and the IPs are all over the world.
I wonder how effective the Spamhaus XBL (eXploited host Black List)
would be at this. I wouldn't use it unless I were experiencing the
attack, though.
> It's hard to see why they continue to hammer us,
Good question.
By the way, I'm not seeing the '.*\+\d{5,}@gmail\.com' subscribes at
XEmacs, but I am seeing this (curiously not for XEmacs itself, but for
LUG lists our host also serves):
Oct 04 yhslug: pending info at firstlast.com 195.228.45.176
Oct 04 shenlug: pending nick.last at gmail.com 173.254.216.68
Oct 04 fredlug: pending nick.last at gmail.com 209.133.66.214
Oct 04 bbh: pending nick.last at gmail.com 195.154.209.57
Oct 04 bod: pending nick.last at gmail.com 195.154.209.57
Oct 04 ma-linux: pending nick.last at gmail.com 162.247.72.
Oct 04 yhslug: pending nick.last at gmail.com 162.247.72.7
Oct 04 ma-jobs: pending nick.last at gmail.com 81.89.96.88
Oct 04 fredlug: pending nick.last at gmail.com 192.151.154.142
Oct 04 ma-linux: pending nick.last at gmail.com 195.154.191.67
Oct 04 yhslug: pending nick.last at gmail.com 195.154.191.67
Oct 05 mailman: pending info at firstlast.com 5.9.36.66
Oct 05 ma-jobs: pending info at firstlast.com 5.9.36.66
Oct 05 shenlug: pending info at firstlast.com 5.9.36.66
Oct 05 xlock-announce: pending info at firstlast.com 5.9.36.66
Oct 05 ma-linux: pending info at firstlast.com 213.61.149.100
Oct 05 yhslug: pending info at firstlast.com 213.61.149.100
Oct 05 xlock-develop: pending nick.last at gmail.com 107.181.174.84
Oct 05 ma-jobs: pending nick.last at gmail.com 107.181.174.84
Oct 05 shenlug: pending nick.last at gmail.com 107.181.174.84
Oct 05 ma-linux: pending info at firstlast.com 185.101.107.189
Oct 05 yhslug: pending info at firstlast.com 185.101.107.189
Oct 06 fredlug: pending nick.last at gmail.com 62.210.105.116
Oct 06 shenlug: pending info at firstlast.com 37.130.227.133
Oct 06 mailman: pending nick.last at gmail.com 37.187.7.74
Oct 06 yhslug: pending info at firstlast.com 37.187.7.74
Oct 06 shenlug: pending nick.last at gmail.com 37.187.7.74
Oct 06 ma-linux: pending nick.last at gmail.com 69.162.139.9
Oct 06 yhslug: pending nick.last at gmail.com 69.162.139.9
Oct 07 shenlug: pending info at firstlast.com 171.25.193.131
Oct 07 bbh: pending info at firstlast.com 185.104.120.4
Oct 07 mailman: pending nick.last at gmail.com 91.219.236.222
Oct 07 ma-jobs: pending nick.last at gmail.com 91.219.236.222
(Name obfuscated to protect the probably innocent victim.)
19 different IPs -- "Nick Last" sure gets around on the Internet!
This isn't the only suspicious subscription activity on the host and
it doesn't amount to a serious DOS attack for us, but it looks like a
variation (maybe an older scheme? or just a script kiddie with only a
few bots?) on the same theme.
Just speculation, but I wonder if the bots are discovering Mailman
hosts, then going to listinfo and getting the list of lists, and then
telling the other bots in their net to subscribe (in an unintended
"Great Internet Worm" fiasco)?
Steve
More information about the Mailman-Users
mailing list