[Mailman-Users] Spam to "-request" address generating backscatter spam

Mark Sapiro mark at msapiro.net
Tue Dec 13 12:35:38 EST 2016 

On 12/12/2016 03:07 PM, Edward Hasbrouck wrote:
> 
> How can I stop this? I am willing to give up "subscribe to this list by 
> e-mail", and require all subscriptions to be via the Web. 


Steve has answered most of this. I just want to add a couple of things.
With respect to web subscribes, several sites including python.org have
seen mail bomb attacks via the web subscribe interface.

These are subscribes via the web UI by distributed bots that are "smart"
enough to GET the form  and delay tens of seconds before POSTing it. The
most recent attacks have been multiple subscribes to multiple lists of
some gmail.com address with various permutations of dots (ignored by
gmail) interspersed in the local part. The most recent attack on
mail.python.org subscribed addresses that matched

  '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com

During the first 17 hours (before I noticed it in the daily status
report) there were 7896 pending subscribes waiting user confirmation and
417 held subscriptions waiting moderator approval (There is a script at
<https://www.msapiro.net/scripts/erase> to remove these).

At that point I added the above pattern to the GLOBAL_BAN_LIST (recently
implemented because of attacks like this). During the next 30+ hours
until the attacks stopped there were 4631 banned subscription attempts.

The banned attempts and held subscriptions don't send emails, but there
were still almost 8000 email confirmation requests sent to the gmail
address.

The bottom line here is that web subscribes are also vulnerable to
exploitation.


> I would still prefer to have e-mail confirmation of new subscriptions, but 
> I don't think that would cause as much of a backscatter problem: The 
> "-request" address can be harvested form the public Web, but the 
> "-confirm" address would be much less likely to do so.
> 
> But if it is simpler to implement, it would be OK to require new 
> subscriptions to be confirmed through the Web interface.


The whole point of confirmation is to verify that the entity generating
the subscribe request can actually receive and comprehend an email
message sent to that address, i.e. is the actual user whose address that
is. I don't see how that can be done without sending an email to the
address.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list