[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 8/18/21 1:15 PM, David Gibbs via Mailman-Users wrote: Folks: Is anyone else seeing requests to their mailman install that look something like this: Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65 Basically, the list name is correct, but the added "__;!NV..." makes it invalid. A web request for a list with name 'midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$' was received from IP 52.34.76.65. I.e., something like http://example.com/mailman/listinfo/midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$ The listname is considered hostile because it contains characters not in the set mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS (default [-+_.=a-z0-9]). This is not usually anything of concern. Brain dead web crawlers do things like this all the time. Check your web server logs for more info. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
Jon Baron wrote: >> Aug 18 15:10:16 2021 (31166) Hostile listname: >> listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: >> >> remote=52.34.76.65 >> >> Basically, the list name is correct, but the added "__;!NV..." makes it >> invalid. > > But I don't understand what you mean by "hostile > listname" being "correct". "midrange-l" is a correct name of an existing list. "midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$" is not. -thh -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
I don't understand the terms you use. So I will not comment further on this thread. "Web UI"? "Email"? However, I did suggest using Google to find out more about Proofpoint. All the information is there. They do have a goal. Whether they achieve it, I do not know. Jon -- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org) -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 8/18/21 3:36 PM, Jon Baron wrote: I'm pretty sure that this comes from Proofpoint's "URL Defense" system. Ah. OK. But I don't understand what you mean by "hostile listname" being "correct". The listname before the garbage is correct. I suggest running all messages through .procmailrc with this recipe: The mangled list names are in the web UI, not email. david -- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net. You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing). -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 8/18/21 11:34 PM, Stephen J. Turnbull wrote: Is anyone else seeing requests to their mailman install that look something like this: Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65 What log is that from? I don't recognize the format. mischief > But I don't understand what you mean by "hostile > listname" being "correct". He means that "midrange-l" is the name of an active list at his site, I'm pretty sure. Exactly correct. host(1) says the source or the request is AWS. :-/ None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates. These requests are coming from an external source. I'm not running proofpoint. Not much I can do about it, I guess. Good to know the source of the requests though. Not sure what proofpoint is trying to do. They are just getting errors. Oh well. Thanks for the info guys. david -- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net. You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing). -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote: > Is anyone else seeing requests to their mailman install that look > something like this: > > Aug 18 15:10:16 2021 (31166) Hostile listname: > listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: > remote=52.34.76.65 What log is that from? I don't recognize the format. Jon Baron writes: > I'm pretty sure that this comes from Proofpoint's "URL Defense" > system. (Google it.) Argh. > But I don't understand what you mean by "hostile > listname" being "correct". He means that "midrange-l" is the name of an active list at his site, I'm pretty sure. > What comes before the __ is usually a URL, and there is also a __ > BEFORE the url begins. If you use a graphical mail client (like > gmail), [and] click the url that you see, Proofpoint will check it > to see if it is on a list of nasty sites. host(1) says the source or the request is AWS. :-/ None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
I'm pretty sure that this comes from Proofpoint's "URL Defense" system. (Google it.) But I don't understand what you mean by "hostile listname" being "correct". What comes before the __ is usually a URL, and there is also a __ BEFORE the url begins. If you use a graphical mail client (like gmail), you don't see this extra junk, but if you click the url that you see, Proofpoint will check it to see if it is on a list of nasty sites. If you want to see the URL alone with a text client (like mutt), I suggest running all messages through .procmailrc with this recipe: :0 f | /usr/bin/sed -e "s/__/ /g" This will replace __ with spaces, leaving the url itself standing alone. Jon On 08/18/21 15:15, David Gibbs via Mailman-Users wrote: > Folks: > > Is anyone else seeing requests to their mailman install that look > something like this: > > Aug 18 15:10:16 2021 (31166) Hostile listname: > listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: > remote=52.34.76.65 > > Basically, the list name is correct, but the added "__;!NV..." makes > it invalid. > > The pattern is rather consistent ... "__;!NV" followed by a bunch of > garbage. > > Thanks! > > David > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ >https://mail.python.org/archives/list/mailman-users@python.org/ -- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org) -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 8/18/2021 1:15 PM, David Gibbs via Mailman-Users wrote: The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage. I don't recognize the encoding, but that looks like someone is trying an SQL injection attack. I could also be wrong. z! -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/