[Mailman-Users] Distributed mass subscribe attack?

[David Gibbs]

On 8/8/2017 12:22 PM, David Gibbs wrote:
> Anyone else noticing a distributed mass subscribe attack going on
> their lists?
>
> I've noticed a massive number of attempts a small subset of email
> addresses, with modifiers (address+modifier at example.com), going on.
>
> It appears the address is valid ... so it appears to be some kind of
> hit job to flood someone's inbox.

FWIW: I did a bit of hacking (super simple) and think I've found a way to thwart the attempt (at least on my server).

It appears that the bot that's doing the attack first gets the subscribe form, so it can retrieve the sub_form_token value, before it does a POST to do the subscribe.

I changed the subscribe & listinfo scripts to use a different name for the sub_form_token field.  Something unique to my system.

I've seen a lot of GETS & POSTS from the hosts that were doing the attack and no subscribe's logged.

david



-- 
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness.  You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net.  My goal is $6000 but any amount is appreciated.

You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!