[Mailman-Users] Subscription Form Spam -- It continues . . .

Thu Oct 8 06:42:07 CEST 2015

Mark Sapiro writes:

 > > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
 > > *all* inbound traffic from and *all* outbound traffic to those ranges.
 > > This achieves lossless compression.  (This should be done whether you
 > > do 1 or 2 or neither.  It's basic network self-defense.)
 > > 
 > > and/or
 > 
 > Except these come from botnets and the IPs are all over the world.

I wonder how effective the Spamhaus XBL (eXploited host Black List)
would be at this.  I wouldn't use it unless I were experiencing the
attack, though.

 > It's hard to see why they continue to hammer us,

Good question.

By the way, I'm not seeing the '.*\+\d{5,}@gmail\.com' subscribes at
XEmacs, but I am seeing this (curiously not for XEmacs itself, but for
LUG lists our host also serves):

Oct 04 yhslug: pending info at firstlast.com  195.228.45.176
Oct 04 shenlug: pending nick.last at gmail.com  173.254.216.68
Oct 04 fredlug: pending nick.last at gmail.com  209.133.66.214
Oct 04 bbh: pending nick.last at gmail.com  195.154.209.57
Oct 04 bod: pending nick.last at gmail.com  195.154.209.57
Oct 04 ma-linux: pending nick.last at gmail.com  162.247.72.
Oct 04 yhslug: pending nick.last at gmail.com  162.247.72.7
Oct 04 ma-jobs: pending nick.last at gmail.com  81.89.96.88
Oct 04 fredlug: pending nick.last at gmail.com  192.151.154.142
Oct 04 ma-linux: pending nick.last at gmail.com  195.154.191.67
Oct 04 yhslug: pending nick.last at gmail.com  195.154.191.67
Oct 05 mailman: pending info at firstlast.com  5.9.36.66
Oct 05 ma-jobs: pending info at firstlast.com  5.9.36.66
Oct 05 shenlug: pending info at firstlast.com  5.9.36.66
Oct 05 xlock-announce: pending info at firstlast.com  5.9.36.66
Oct 05 ma-linux: pending info at firstlast.com  213.61.149.100
Oct 05 yhslug: pending info at firstlast.com  213.61.149.100
Oct 05 xlock-develop: pending nick.last at gmail.com  107.181.174.84
Oct 05 ma-jobs: pending nick.last at gmail.com  107.181.174.84
Oct 05 shenlug: pending nick.last at gmail.com  107.181.174.84
Oct 05 ma-linux: pending info at firstlast.com  185.101.107.189
Oct 05 yhslug: pending info at firstlast.com  185.101.107.189
Oct 06 fredlug: pending nick.last at gmail.com  62.210.105.116
Oct 06 shenlug: pending info at firstlast.com  37.130.227.133
Oct 06 mailman: pending nick.last at gmail.com  37.187.7.74
Oct 06 yhslug: pending info at firstlast.com  37.187.7.74
Oct 06 shenlug: pending nick.last at gmail.com  37.187.7.74
Oct 06 ma-linux: pending nick.last at gmail.com  69.162.139.9
Oct 06 yhslug: pending nick.last at gmail.com  69.162.139.9
Oct 07 shenlug: pending info at firstlast.com  171.25.193.131
Oct 07 bbh: pending info at firstlast.com  185.104.120.4
Oct 07 mailman: pending nick.last at gmail.com  91.219.236.222
Oct 07 ma-jobs: pending nick.last at gmail.com  91.219.236.222

(Name obfuscated to protect the probably innocent victim.)

19 different IPs -- "Nick Last" sure gets around on the Internet!
This isn't the only suspicious subscription activity on the host and
it doesn't amount to a serious DOS attack for us, but it looks like a
variation (maybe an older scheme? or just a script kiddie with only a
few bots?) on the same theme.

Just speculation, but I wonder if the bots are discovering Mailman
hosts, then going to listinfo and getting the list of lists, and then
telling the other bots in their net to subscribe (in an unintended
"Great Internet Worm" fiasco)?

Steve