Over the past couple of months, I've observed a series of attacks
against Mailman that are likely related because they use the same
tactic every time.
That tactic is to use Mailman's web interface to generate multiple
subscription requests for multiple people. My guess is that the goal
may be either (a) to harrass those people or (b) to get the outbound
subscription confirmation requests from Mailman marked as spam (in
mail systems which support that function) or (c) both.
To spot this: check your subscription logs for bursts of activity --
in particular, subscription requests for the same address to multiple
lists (including multiple unrelated mailing lists), and in further
particular, requests that are never ACK'd, AND, in further particular,
requests that originate from network space unlikely to be populated
by real users.
Of course I have no way of knowing if the instance I'm looking at is
the only one being targeted or whether others are seeing this as well.
On that point, it might be useful for those of you reading this to
extract the networks below and use "grepcidr" or a similar tool to
check them against your logs. That's part of my reason for writing this.
The other part is to share the lists of network allocations that I've
firewalled out from ports 80 and 443; all of these participated in one
or more attacks (and subsequently tried to particpate in others, but
were blocked). You may want to preemptively drop these into your
firewall(s) IF it turns out that other Mailman instances are also
being targeted.
Here there are, in three groups:
Pnvgroup:
23.94.58.0/25 PNVGROUPLtd
23.94.58.128/25 PNVGROUPLtd
23.95.99.0/25 PNVGROUPLtd
107.172.18.0/25 PNVGROUPLtd
192.3.56.0/25 PNVGROUPLtd
192.3.56.128/25 PNVGROUPLtd
192.3.57.0/25 PNVGROUPLtd
192.3.57.128/25 PNVGROUPLtd
192.3.58.0/25 PNVGROUPLtd
192.3.58.128/25 PNVGROUPLtd
192.3.59.0/25 PNVGROUPLtd
198.12.72.128/25 PNVGROUPLtd
198.23.168.0/25 PNVGROUPLtd
198.23.168.128/25 PNVGROUPLtd
198.23.169.0/25 PNVGROUPLtd
198.23.170.0/25 PNVGROUPLtd
198.23.170.128/25 PNVGROUPLtd
198.23.171.0/25 PNVGROUPLtd
199.188.102.0/25 PNVGROUPLtd
Proxies-LLC:
108.165.184.0/22 PROXIES-LLC
108.165.188.0/22 PROXIES-LLC
108.165.184.0/22 PROXIES-LLC
75.102.24.0/23 PROXIES-LLC
75.102.8.0/23 PROXIES-LLC
Miscellaneous:
91.243.92.0/24 QualityNetworkCorp
91.243.94.0/24 QualityNetworkCorp
103.160.101.0/24 IRT-DURABLEDNS-AP
172.98.181.0/24 Braveway/PrivateCustomer
172.104.17.0/24 Linode (this is just a chunk of the network)
194.26.135.0/24 ChangWayTechnologiesCoLimited
194.33.191.0/25 VirtuoHoldingsInc
194.33.191.128/25 VirtuoHoldingsInc
---rsk
------------------------------------------------------
Mailman-Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/[email protected]/
https://mail.python.org/archives/list/[email protected]/
Member address: [email protected]
