[Mailman-Users] Subscription Form Spam -- It continues . . .

[Rich Kulawiec]

I'd be curiously to see the logs for these.  (I intend to check
them against various address range lists to see if the originating
IP addresses correlate with anything else I'm tracking.)  If they're
coming from botted hosts, then (as noted in the thread) using the XBL
or similar may help.  If they're coming from hijacked networks, then
the DROP/EDROP lists may help.  If they're coming from...well, without
analyzing the data and looking for patterns, it's hard to say what
will help.  But I'm certainly willing to put in some time scripting
and eyeballing even though the most likely outcome is nothing useful.

Mark is probably right about the addresses being forgeries, but once
in a while attacks like these turn out to be using a smattering of
real ones mixed in with the junk.  That's why I suggested running
the collation past Gmail people: they may be able to match it up
with some other activity that isn't visible out here.  (Or not.)

Question/speculation: in the SMTP world, we've found that using
things like greet_pause (which causes the SMTP server to refrain from
sending its greeting for a little bit, and thus lets us detect SMTP
clients that start sending too soon) can be pretty effective.
Does the timing of these attacks lend itself to a similar approach?
(Yes, of course clients can and will eventually adapt...but years
later, greet_pause still manages to fend off some of the attacks.)

---rsk