Mark Sapiro writes:
> > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> > *all* inbound traffic from and *all* outbound traffic to those ranges.
> > This achieves lossless compression. (This should be done whether you
> > do 1 or 2 or neither. It's basic network self-defense.)
> >
> > and/or
>
> Except these come from botnets and the IPs are all over the world.
I wonder how effective the Spamhaus XBL (eXploited host Black List)
would be at this. I wouldn't use it unless I were experiencing the
attack, though.
> It's hard to see why they continue to hammer us,
Good question.
By the way, I'm not seeing the '.*\+\d{5,}@gmail\.com' subscribes at
XEmacs, but I am seeing this (curiously not for XEmacs itself, but for
LUG lists our host also serves):
Oct 04 yhslug: pending [email protected] 195.228.45.176
Oct 04 shenlug: pending [email protected] 173.254.216.68
Oct 04 fredlug: pending [email protected] 209.133.66.214
Oct 04 bbh: pending [email protected] 195.154.209.57
Oct 04 bod: pending [email protected] 195.154.209.57
Oct 04 ma-linux: pending [email protected] 162.247.72.
Oct 04 yhslug: pending [email protected] 162.247.72.7
Oct 04 ma-jobs: pending [email protected] 81.89.96.88
Oct 04 fredlug: pending [email protected] 192.151.154.142
Oct 04 ma-linux: pending [email protected] 195.154.191.67
Oct 04 yhslug: pending [email protected] 195.154.191.67
Oct 05 mailman: pending [email protected] 5.9.36.66
Oct 05 ma-jobs: pending [email protected] 5.9.36.66
Oct 05 shenlug: pending [email protected] 5.9.36.66
Oct 05 xlock-announce: pending [email protected] 5.9.36.66
Oct 05 ma-linux: pending [email protected] 213.61.149.100
Oct 05 yhslug: pending [email protected] 213.61.149.100
Oct 05 xlock-develop: pending [email protected] 107.181.174.84
Oct 05 ma-jobs: pending [email protected] 107.181.174.84
Oct 05 shenlug: pending [email protected] 107.181.174.84
Oct 05 ma-linux: pending [email protected] 185.101.107.189
Oct 05 yhslug: pending [email protected] 185.101.107.189
Oct 06 fredlug: pending [email protected] 62.210.105.116
Oct 06 shenlug: pending [email protected] 37.130.227.133
Oct 06 mailman: pending [email protected] 37.187.7.74
Oct 06 yhslug: pending [email protected] 37.187.7.74
Oct 06 shenlug: pending [email protected] 37.187.7.74
Oct 06 ma-linux: pending [email protected] 69.162.139.9
Oct 06 yhslug: pending [email protected] 69.162.139.9
Oct 07 shenlug: pending [email protected] 171.25.193.131
Oct 07 bbh: pending [email protected] 185.104.120.4
Oct 07 mailman: pending [email protected] 91.219.236.222
Oct 07 ma-jobs: pending [email protected] 91.219.236.222
(Name obfuscated to protect the probably innocent victim.)
19 different IPs -- "Nick Last" sure gets around on the Internet!
This isn't the only suspicious subscription activity on the host and
it doesn't amount to a serious DOS attack for us, but it looks like a
variation (maybe an older scheme? or just a script kiddie with only a
few bots?) on the same theme.
Just speculation, but I wonder if the bots are discovering Mailman
hosts, then going to listinfo and getting the list of lists, and then
telling the other bots in their net to subscribe (in an unintended
"Great Internet Worm" fiasco)?
Steve
------------------------------------------------------
Mailman-Users mailing list [email protected]
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
