After having thwarted additional attacks (thanks for the hint about SUBSCRIBE_FORM_SECRET!) I looked at our mailman logs to see if everything is quiet now, and to find patterns.
Apparently the initial check was from a serbian IP address: Aug 18 10:01:55 2020 (8184) <listname>: pending mmc49...@eoopy.com 37.221.182.184 The mail address has md5sum 8161d22688eab8dd557aec1fd32192b7, so it's the same that you (Andy) saw 14 times, so it's likely that this address was the one used by the spammer to confirm that his scheme works. After that check, the other stupidly publicly advertised lists at our small site were tested with the same address, one was tested with another address at the same domain, and then a few minutes later the bot started to "register" victims. eoopy.com seems to be a domain used by 10minutemail.net to provide time-limited e-mail addresses. I don't think they would be willing or able to share information on who registered this mail address (it's all automated and like most anonymizing services they won't keep logs so LE can't force them to hand them over). Thinking up a specialized defense against this attack (just as keeping a list of such domains) is probably overkill, so this analysis is just here to possibly help understand what spammers do to circumvent anti-spam measures. We can't foresee what they come up with next, but we can react and harden our systems quickly. Cheers, Hans-Martin _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
