[Mailman-Users] Spam to "-request" address generating backscatter spam

[Mark Sapiro]

On 12/22/2016 04:05 PM, Jim Popovitch wrote:
> 
> Just to be clear, the bots are doing a GET of the listinfo page,
> extracting the token, and then (mis)forming the GET URL like this:
> 
> 89.32.127.178 - - [22/Dec/2016:23:53:29 +0000] "GET
> /mailman/listinfo/users HTTP/1.1" 200 2866 "-" "Mozilla/5.0 (Windows
> NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
> 89.32.127.178 - - [22/Dec/2016:23:53:32 +0000] "GET
> /subscribe/users?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&&sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&
> HTTP/1.1" 404 162 "http://netcoolusers.org/" "Mozilla/5.0 (Windows NT
> 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
> 
> I suspect, the bot is requesting ../subscribe and that nginx is just
> striping the leading dots off the request (totally not sure about this
> though).


I suspect that's correct. The bottom line however is that there are
already botnets out there that are smart enough the do the right things
to get past the checks of GETting the form first with the hidden token
and delaying sufficiently before POSTing to the right URL.

I can see that if your attackers get smarter, the real name check could
be useful, but I'm not ready to add that as a feature. That could change
if they successfully attack me, but that hasn't happened yet.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan