[Mailman-Users] Spam to "-request" address generating backscatter spam

Jim Popovitch jimpop at gmail.com
Thu Dec 22 19:05:34 EST 2016 

On Thu, Dec 22, 2016 at 6:55 PM, Mark Sapiro <mark at msapiro.net> wrote:
> On 12/22/2016 03:38 PM, Jim Popovitch wrote:
>>
>> I'm seeing GET attempts like this:
>>
>> 77.247.181.165 - - [22/Dec/2016:23:30:10 +0000] "GET
>> /subscribe/users?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&&sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&
>> HTTP/1.1" 404 162 "http://netcoolusers.org/" "Mozilla/5.0 (Windows NT
>> 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
>
>
> OK. I see how limiting the subscribe CGI to POST requests would stop
> these, but I haven't seen any attacks like this. In the ones I've seen,
> the bot GETs the form via listinfo and then delays and POSTs to
> subscribe as described in the part of my post in this thread you didn't
> quote.

Just to be clear, the bots are doing a GET of the listinfo page,
extracting the token, and then (mis)forming the GET URL like this:

89.32.127.178 - - [22/Dec/2016:23:53:29 +0000] "GET
/mailman/listinfo/users HTTP/1.1" 200 2866 "-" "Mozilla/5.0 (Windows
NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
89.32.127.178 - - [22/Dec/2016:23:53:32 +0000] "GET
/subscribe/users?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&&sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&
HTTP/1.1" 404 162 "http://netcoolusers.org/" "Mozilla/5.0 (Windows NT
5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"

I suspect, the bot is requesting ../subscribe and that nginx is just
striping the leading dots off the request (totally not sure about this
though).

-Jim P.

More information about the Mailman-Users mailing list