Over the past couple of months, I've observed a series of attacks against Mailman that are likely related because they use the same tactic every time.
That tactic is to use Mailman's web interface to generate multiple subscription requests for multiple people. My guess is that the goal may be either (a) to harrass those people or (b) to get the outbound subscription confirmation requests from Mailman marked as spam (in mail systems which support that function) or (c) both. To spot this: check your subscription logs for bursts of activity -- in particular, subscription requests for the same address to multiple lists (including multiple unrelated mailing lists), and in further particular, requests that are never ACK'd, AND, in further particular, requests that originate from network space unlikely to be populated by real users. Of course I have no way of knowing if the instance I'm looking at is the only one being targeted or whether others are seeing this as well. On that point, it might be useful for those of you reading this to extract the networks below and use "grepcidr" or a similar tool to check them against your logs. That's part of my reason for writing this. The other part is to share the lists of network allocations that I've firewalled out from ports 80 and 443; all of these participated in one or more attacks (and subsequently tried to particpate in others, but were blocked). You may want to preemptively drop these into your firewall(s) IF it turns out that other Mailman instances are also being targeted. Here there are, in three groups: Pnvgroup: 23.94.58.0/25 PNVGROUPLtd 23.94.58.128/25 PNVGROUPLtd 23.95.99.0/25 PNVGROUPLtd 107.172.18.0/25 PNVGROUPLtd 192.3.56.0/25 PNVGROUPLtd 192.3.56.128/25 PNVGROUPLtd 192.3.57.0/25 PNVGROUPLtd 192.3.57.128/25 PNVGROUPLtd 192.3.58.0/25 PNVGROUPLtd 192.3.58.128/25 PNVGROUPLtd 192.3.59.0/25 PNVGROUPLtd 198.12.72.128/25 PNVGROUPLtd 198.23.168.0/25 PNVGROUPLtd 198.23.168.128/25 PNVGROUPLtd 198.23.169.0/25 PNVGROUPLtd 198.23.170.0/25 PNVGROUPLtd 198.23.170.128/25 PNVGROUPLtd 198.23.171.0/25 PNVGROUPLtd 199.188.102.0/25 PNVGROUPLtd Proxies-LLC: 108.165.184.0/22 PROXIES-LLC 108.165.188.0/22 PROXIES-LLC 108.165.184.0/22 PROXIES-LLC 75.102.24.0/23 PROXIES-LLC 75.102.8.0/23 PROXIES-LLC Miscellaneous: 91.243.92.0/24 QualityNetworkCorp 91.243.94.0/24 QualityNetworkCorp 103.160.101.0/24 IRT-DURABLEDNS-AP 172.98.181.0/24 Braveway/PrivateCustomer 172.104.17.0/24 Linode (this is just a chunk of the network) 194.26.135.0/24 ChangWayTechnologiesCoLimited 194.33.191.0/25 VirtuoHoldingsInc 194.33.191.128/25 VirtuoHoldingsInc ---rsk ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@jab.org