Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On Tue, 10 Jun 2014 11:48:49 +0900 Stephen J. Turnbull step...@xemacs.org wrote: Perry E. Metzger writes: BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Spammers are generally greedy but not bright? Spammers do this work full time to feed themselves. Just as you get up in the morning and go to your office, they get up every morning and figure out their next step to keep the money coming in -- their families depend on it. They rarely do anything that doesn't work -- if they do, they end up without any money coming in with which to support themselves. There have been significant academic studies of the market, and they indicate that your portrayal isn't accurate. I would presume that if you don't understand what they're doing, it isn't because it is completely irrational, but rather because you don't get exactly what they're attempting. Perry -- Perry E. Metzgerpe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
Perry E. Metzger writes: have been significant academic studies of the market, and they indicate that your portrayal isn't accurate. I was incautious; smart spammers go back at least to Canter and Siegel. What I should have written was spammers are greedy, but many aren't too smart. I don't do such studies myself, but my colleagues do a lot of those studies for various markets. What those studies invariably show is that (1) the most profitable businesses generally are reasonably smart -- getting to the top may have been a matter of luck but staying there takes work and some smarts, and (2) there is usually a large fringe of noise traders, agents who are doing pretty random things. Some of the latter can get big enough to be noticed before their bubbles burst. I would presume that if you don't understand what they're doing, it isn't because it is completely irrational, but rather because you don't get exactly what they're attempting. That's possible. Nevertheless I suspect that there are quite a few out there who are doing things that make sense only to themselves and will disappear in unprofitability (although some may be deliberately random, as in fuzzer-style software testing). Either way, though, some spammer behavior is inexplicable and it's probably not worth trying too hard to figure it out. Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
If you (Mailman site operators) have a spare moment, please try running this: cut here-- #!/bin/sh cd /var/local/mailman/logs egrep pending [a-z]+ [a-z]+@[a-z]+\.com subscribe \ | egrep -v @gmail.com \ | egrep -v @hotmail.com \ | egrep -v @msn.com \ | egrep -v @aol.com \ | egrep -v @yahoo.com \ | sed -e s/(.*pending// cut here-- This is a first-cut, mildly sloppy script that will try to match some patterns of interest that I've noticed in my subscribe log and that might be in yours. The egrep clauses are in there to throw away data not of interest; the sed snips off the mailing list name and some other irrelevancies. Here is what the last 10 lines of its output look like on my system: Jun 06 00:14:32 2014 ehkfioxlkrr yuj...@zwdxgc.com 62.210.226.131 Jun 06 13:23:16 2014 norchmecn sty...@zdddmk.com 86.51.26.20 Jun 07 02:06:20 2014 eljult qbp...@wabtdh.com 86.51.26.11 Jun 07 13:21:20 2014 dvlevbpj drk...@nlcvek.com 210.14.138.102 Jun 07 15:41:10 2014 sdbdelkv mtp...@ghazhc.com 86.51.26.18 Jun 07 16:17:10 2014 yqrebrgipo ubn...@cgtnki.com 86.51.26.20 Jun 08 06:37:12 2014 cihjwn sou...@bprryw.com 202.143.148.58 Jun 08 06:55:47 2014 ehxvwgrboo iou...@mnaisa.com 86.51.26.21 Jun 08 23:47:58 2014 qqpluym jpb...@qkvfdi.com 190.14.219.166 Jun 09 16:44:15 2014 mloepuj fig...@jjxlcu.com 172.245.142.194 This is forged gibberish, of course. The user real name is always a lowercase alpha string. The email address is also, both LHS and RHS, and the TLD is always .com. (Hence the regexp in the first egrep.) I'm curious. First, is anybody else seeing these? Second, does anyone have a theory as to their purpose? And third, is there any value in combining data to see if patterns emerge? (I have some privacy concerns about that last one, since real email addresses might leak through, so I suspect if we decided to do that, it would be best to remove everything but the timestamp and IP address. I doubt the gibberish has any real explanatory value anyway.) ---rsk -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On 06/09/2014 04:11 PM, Rich Kulawiec wrote: This is a first-cut, mildly sloppy script that will try to match some patterns of interest that I've noticed in my subscribe log and that might be in yours. ... Here is what the last 10 lines of its output look like on my system: Jun 06 00:14:32 2014 ehkfioxlkrr yuj...@zwdxgc.com 62.210.226.131 Jun 06 13:23:16 2014 norchmecn sty...@zdddmk.com 86.51.26.20 Jun 07 02:06:20 2014 eljult qbp...@wabtdh.com 86.51.26.11 Jun 07 13:21:20 2014 dvlevbpj drk...@nlcvek.com 210.14.138.102 Jun 07 15:41:10 2014 sdbdelkv mtp...@ghazhc.com 86.51.26.18 Jun 07 16:17:10 2014 yqrebrgipo ubn...@cgtnki.com 86.51.26.20 Jun 08 06:37:12 2014 cihjwn sou...@bprryw.com 202.143.148.58 Jun 08 06:55:47 2014 ehxvwgrboo iou...@mnaisa.com 86.51.26.21 Jun 08 23:47:58 2014 qqpluym jpb...@qkvfdi.com 190.14.219.166 Jun 09 16:44:15 2014 mloepuj fig...@jjxlcu.com 172.245.142.194 This is forged gibberish, of course. ... I'm curious. First, is anybody else seeing these? Some people are. Second, does2.1.16 or later anyone have a theory as to their purpose? They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. If you have Mailman 2.1.16 or later, you can mitigate this by setting SUBSCRIBE_FORM_SECRET = Some site specific string in mm_cfg.py. See https://bugs.launchpad.net/mailman/+bug/1082746. This is from the NEWS file: There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put a dynamically generated, hidden hash in the listinfo subscribe form and check it upon submission. Setting this will prevent automated processes (bots) from successfully POSTing web subscribes without first retrieving and parsing the form from the listinfo page. The form must also be submitted no later than FORM_LIFETIME nor no earlier than SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will break any static subscribe forms on your site. See the description in Defaults.py for more info. (LP: #1082746) -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. If you have Mailman 2.1.16 or later, you can mitigate this by setting SUBSCRIBE_FORM_SECRET = Some site specific string Another option might be using fail2ban. Almost all of my attackers come from the same few addresses in Vietnam. A few black hole routes and they were history. I haven't bothered with fail2ban yet, but it probably is a reasonable option. (Mine all have ALLCAPS@ addresses.) Perry -- Perry E. Metzgerpe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Perry -- Perry E. Metzgerpe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
Who said spamming has to be logical? I once read that spammers often use outdated, stolen, spamming software that spams in ways that were obsolete years ago. Peter Shute -Original Message- From: Mailman-Users [mailto:mailman-users-bounces+pshute=nuw.org...@python.org] On Behalf Of Perry E. Metzger Sent: Tuesday, 10 June 2014 11:49 AM To: Mark Sapiro Cc: mailman-users@python.org Subject: Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Perry -- Perry E. Metzger pe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/pshute%4 0nuw.org.au -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
Perry E. Metzger writes: BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Spammers are generally greedy but not bright? BTW, to answer Rick's question, yes, I'm seeing them too, in the all- lowercase form, on some but not all lists. I'M not sure why they pick the lists they do. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
At Mon, 9 Jun 2014 21:48:38 -0400 Perry E. Metzger pe...@piermont.com wrote: On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. It depends. Some 'spammers' use scripts that seek out form ... method=post .. tags and then issue POST requests to the action= attribute. In some cases this results in 'posting' content of some sort to web sites (eg comment / forum spam). Or it generates E-Mails to someone who might respond to the content. In other cases it is a form of denial of service attack, overwhelming the server. In some cases, it is totally 'mindless', eg generated data using field names as a guide as to what to generate: such as random E-Mail addresses for an field with a name like 'email', and so on. Perry -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org