[Mailman-Users] Subscription Form Spam -- It continues . . .
Mark Sapiro
mark at msapiro.net
Thu Oct 8 18:44:17 CEST 2015
On 10/08/2015 07:51 AM, Rich Kulawiec wrote:
>
> I'd be curiously to see the logs for these. (I intend to check
> them against various address range lists to see if the originating
> IP addresses correlate with anything else I'm tracking.)
The results from
grep -E 'GET /mailman/listinfo|POST /mailman/subscribe'
mail.python.org-ssl_access.log
are available at
<https://drive.google.com/file/d/0B6k7rjr_EKxzc2wtYWJjQ2s3V2M/view?usp=sharing>
This covers from Oct 4 to date CEST and is over 70 MB. Some of the GETs
are legitimate retrievals of listinfo pages, but most are associated
with these subscribe attempts. And, of course a few GET/POST sequences
are legitimate subscribe requests, but the vast majority are these bogus
ones.
A large number of POSTs have 401 status. These are generated by
mod-spamhaus which applies to
MS_METHODS POST,PUT,OPTIONS,CONNECT
and uses
MS_Dns list.blogspambl.com
> If they're
> coming from botted hosts, then (as noted in the thread) using the XBL
> or similar may help. If they're coming from hijacked networks, then
> the DROP/EDROP lists may help. If they're coming from...well, without
> analyzing the data and looking for patterns, it's hard to say what
> will help. But I'm certainly willing to put in some time scripting
> and eyeballing even though the most likely outcome is nothing useful.
Thank you. Your help will be appreciated.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list