Re: [Mailman-Users] Subscription Form Spam -- It continues . . .

[Stephen J. Turnbull]

Mark Sapiro writes:

 > > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
 > > *all* inbound traffic from and *all* outbound traffic to those ranges.
 > > This achieves lossless compression.  (This should be done whether you
 > > do 1 or 2 or neither.  It's basic network self-defense.)
 > > 
 > > and/or
 > 
 > Except these come from botnets and the IPs are all over the world.

I wonder how effective the Spamhaus XBL (eXploited host Black List)
would be at this.  I wouldn't use it unless I were experiencing the
attack, though.

 > It's hard to see why they continue to hammer us,

Good question.

By the way, I'm not seeing the '.*\+\d{5,}@gmail\.com' subscribes at
XEmacs, but I am seeing this (curiously not for XEmacs itself, but for
LUG lists our host also serves):

Oct 04 yhslug: pending i...@firstlast.com  195.228.45.176
Oct 04 shenlug: pending nick.l...@gmail.com  173.254.216.68
Oct 04 fredlug: pending nick.l...@gmail.com  209.133.66.214
Oct 04 bbh: pending nick.l...@gmail.com  195.154.209.57
Oct 04 bod: pending nick.l...@gmail.com  195.154.209.57
Oct 04 ma-linux: pending nick.l...@gmail.com  162.247.72.
Oct 04 yhslug: pending nick.l...@gmail.com  162.247.72.7
Oct 04 ma-jobs: pending nick.l...@gmail.com  81.89.96.88
Oct 04 fredlug: pending nick.l...@gmail.com  192.151.154.142
Oct 04 ma-linux: pending nick.l...@gmail.com  195.154.191.67
Oct 04 yhslug: pending nick.l...@gmail.com  195.154.191.67
Oct 05 mailman: pending i...@firstlast.com  5.9.36.66
Oct 05 ma-jobs: pending i...@firstlast.com  5.9.36.66
Oct 05 shenlug: pending i...@firstlast.com  5.9.36.66
Oct 05 xlock-announce: pending i...@firstlast.com  5.9.36.66
Oct 05 ma-linux: pending i...@firstlast.com  213.61.149.100
Oct 05 yhslug: pending i...@firstlast.com  213.61.149.100
Oct 05 xlock-develop: pending nick.l...@gmail.com  107.181.174.84
Oct 05 ma-jobs: pending nick.l...@gmail.com  107.181.174.84
Oct 05 shenlug: pending nick.l...@gmail.com  107.181.174.84
Oct 05 ma-linux: pending i...@firstlast.com  185.101.107.189
Oct 05 yhslug: pending i...@firstlast.com  185.101.107.189
Oct 06 fredlug: pending nick.l...@gmail.com  62.210.105.116
Oct 06 shenlug: pending i...@firstlast.com  37.130.227.133
Oct 06 mailman: pending nick.l...@gmail.com  37.187.7.74
Oct 06 yhslug: pending i...@firstlast.com  37.187.7.74
Oct 06 shenlug: pending nick.l...@gmail.com  37.187.7.74
Oct 06 ma-linux: pending nick.l...@gmail.com  69.162.139.9
Oct 06 yhslug: pending nick.l...@gmail.com  69.162.139.9
Oct 07 shenlug: pending i...@firstlast.com  171.25.193.131
Oct 07 bbh: pending i...@firstlast.com  185.104.120.4
Oct 07 mailman: pending nick.l...@gmail.com  91.219.236.222
Oct 07 ma-jobs: pending nick.l...@gmail.com  91.219.236.222

(Name obfuscated to protect the probably innocent victim.)

19 different IPs -- "Nick Last" sure gets around on the Internet!
This isn't the only suspicious subscription activity on the host and
it doesn't amount to a serious DOS attack for us, but it looks like a
variation (maybe an older scheme? or just a script kiddie with only a
few bots?) on the same theme.

Just speculation, but I wonder if the bots are discovering Mailman
hosts, then going to listinfo and getting the list of lists, and then
telling the other bots in their net to subscribe (in an unintended
"Great Internet Worm" fiasco)?

Steve
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription Form Spam -- It continues . . .

[Mark Sapiro]

On 10/07/2015 08:15 AM, Rich Kulawiec wrote:
> 
> There are multiple approaches to this:
> 
> 1.  Look at the logs.  Find out where the subscriptions are coming from,
> and firewall out the appropriate network(s) or countries.  (See ipdeny.com
> for country IP ranges.)
> 
> or
> 
> 2. If you only expect to receive subscriptions from one or a few countries,
> then firewall out the entire world and only allow connections from that
> small set.
> 
> and/or
> 
> 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> *all* inbound traffic from and *all* outbound traffic to those ranges.
> This achieves lossless compression.  (This should be done whether you
> do 1 or 2 or neither.  It's basic network self-defense.)
> 
> and/or


Except these come from botnets and the IPs are all over the world.


> 
> 4. Collect all the forged subscriptions and have a chat with the email
> people at Gmail.  It's possible that they can do something about this
> on their side.  I can put you in touch with someone if need be.


And Gmail has nothing to do with this. This is a DOS attack. There may
be some intent to harass various gmail users with backscatter, but none
of this originates from gmail and the addresses being subscribed may not
even be valid gmail addresses, but if they are, I doubt their owners are
more than victims.

By globally banning the addresses at mail.python.org, we have no
backscatter and we block subscription and only say so in the web
response to the subscribe form submission. Thus whoever is behind this
gains nothing and only causes us the web processing to process their GET
and POST. It's hard to see why they continue to hammer us, but we see
ever increasing numbers of these, 17341 on Oct 5, 17882 on Oct 6 and
19927 on Oct 7, CEST. These are the number of subscribe attempts that
got far enough to be banned. Significant numbers are blocked via IP
block lists and some fail because the POST comes too soon after the GET.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription Form Spam -- It continues . . .

[Matthew Saltzman]

On Wed, 2015-10-07 at 17:49 -0700, Mark Sapiro wrote:
> On 10/07/2015 08:15 AM, Rich Kulawiec wrote:
> > 
> > There are multiple approaches to this:
> > 
> > 1.  Look at the logs.  Find out where the subscriptions are coming
> > from,
> > and firewall out the appropriate network(s) or countries.  (See
> > ipdeny.com
> > for country IP ranges.)
> > 
> > or
> > 
> > 2. If you only expect to receive subscriptions from one or a few
> > countries,
> > then firewall out the entire world and only allow connections from
> > that
> > small set.
> > 
> > and/or
> > 
> > 3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
> > *all* inbound traffic from and *all* outbound traffic to those
> > ranges.
> > This achieves lossless compression.  (This should be done whether
> > you
> > do 1 or 2 or neither.  It's basic network self-defense.)
> > 
> > and/or
> 
> 
> Except these come from botnets and the IPs are all over the world.
> 
> 
> > 
> > 4. Collect all the forged subscriptions and have a chat with the
> > email
> > people at Gmail.  It's possible that they can do something about
> > this
> > on their side.  I can put you in touch with someone if need be.
> 
> 
> And Gmail has nothing to do with this. This is a DOS attack. There
> may
> be some intent to harass various gmail users with backscatter, but
> none
> of this originates from gmail and the addresses being subscribed may
> not
> even be valid gmail addresses, but if they are, I doubt their owners
> are
> more than victims.
> 
> By globally banning the addresses at mail.python.org, we have no
> backscatter and we block subscription and only say so in the web
> response to the subscribe form submission. Thus whoever is behind
> this
> gains nothing and only causes us the web processing to process their
> GET
> and POST. It's hard to see why they continue to hammer us, but we see
> ever increasing numbers of these, 17341 on Oct 5, 17882 on Oct 6 and
> 19927 on Oct 7, CEST. These are the number of subscribe attempts that
> got far enough to be banned. Significant numbers are blocked via IP
> block lists and some fail because the POST comes too soon after the
> GET.
> 

Based on Mark's advice, we banned the following regexps from
subscribing:

^.*\+\d{5,}@gmail\.com
^.*\+\d{5,}@usc\.edu

That might be a bit aggressive, potentially blocking a legitimate
address or two, but we haven't seen the spam since. (Note that there
was only one usc.edu address involved, and we haven't seen that once
since instituting the ban.)

# wc subscribe vette
  12  132 1153 subscribe
   82014   902233 10164693 vette

...and that's just today!

-- 
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] mailman cgi error after server restart

[Mark Sapiro]

On 10/06/2015 07:25 PM, Kai Liu wrote:
> 
> 1) it says I could re-run configure, but I have run this about 4 years and
> have many mail list. If I re-run configure, will I lose some data?


Running configure, make and make install will not result in data loss,
but you should stop Mailman before make install and start it after.

If you have local mods to the Mailman code or you made settings in
Defaults.py instead of mm_cfg.py, there can be loss of those things, so
make your settings in mm_cfg.py and if you have modes to running code,
be sure you know what they are so you can reapply them.


> 2) How to run the postfix as group "daemon"?


Postfix is not the issue in your original post. Your OP referred to a
CGI wrapper group mismatch, not a mail wrapper group mismatch.

You can set the group in Apache with Apache's Group directive, but this
is a global setting. In Apache 2.4, there is also a VHostGroup directive
that applies only to a VirtualHost, but not in older versions. See
.

For Postfix, if delivery is via aliases, postfix will run the pipe in a
Mailman alias as the user and group of the owner of the aliases.db file
in which the alias is found. Note this is the primary group of the owner
of the file, not the group of the file.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Subscription Form Spam -- It continues . . .

[brian]

Hello list,

I have seen another type of subscription form spam pop-up on our 
servers. It is particularly affecting one client that has 80 mailman 
lists and they wish to keep their lists publicly advertised. We keep 
seeing dozens of subscription spam coming in from gmail addresses PER 
MINUTE with the following format:


kihuotter+59233...@gmail.com

We have implemented the form secret function that was introduced in 
Mailman 2.16 but it is having no effect on these particular subscription 
requests.


I remember seeing a solution from Mark Sapiro addressing this exact 
issue but I can't seem to find it again.


Help me Obi-Wan Sapiro. You are my only hope! (other suggestions would 
also be appreciated!)


Thanks,
Brian Carpenter
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] mailman cgi error after server restart

[Adam McGreggor]

On Tue, Oct 06, 2015 at 10:25:23PM -0400, Kai Liu wrote:
> Hi guys,
> 
> My server is Red Hat Enterprise Linux ES release 4. I installed mailman
> 2.1.3 and postfix. It has worked for 4 years.

Your version of Mailman is almost 10 years old. I'd be inclined to
upgrade that.

> Yesterday I restarted the
> server, but found I can not go to thehttp://MyDomain/mailman/create
>  page. It shows the following error:
> 
> Mailman CGI error!!!
> 
> The Mailman CGI wrapper encountered a fatal error. This entry is being
> stored in your syslog:
> 
> Group mismatch error.  Mailman expected the CGI
> wrapper script to be executed as group "daemon", but
> the system's web server executed the CGI script as
> group "apache".  Try tweaking the web server to run the
> script as group "daemon", or re-run configure,
> providing the command line option `--with-cgi-gid=apache'.

check_perms is the (Mailman) script you want.

-- 
DRINK COFFEE -- Do stupid things faster with more energy!
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] mailman cgi error after server restart

[Kai Liu]

Hi guys,

My server is Red Hat Enterprise Linux ES release 4. I installed mailman
2.1.3 and postfix. It has worked for 4 years. Yesterday I restarted the
server, but found I can not go to thehttp://MyDomain/mailman/create
 page. It shows the following error:

Mailman CGI error!!!

The Mailman CGI wrapper encountered a fatal error. This entry is being
stored in your syslog:

Group mismatch error.  Mailman expected the CGI
wrapper script to be executed as group "daemon", but
the system's web server executed the CGI script as
group "apache".  Try tweaking the web server to run the
script as group "daemon", or re-run configure,
providing the command line option `--with-cgi-gid=apache'.


1) it says I could re-run configure, but I have run this about 4 years and
have many mail list. If I re-run configure, will I lose some data?

2) How to run the postfix as group "daemon"?

This question is also available at:
http://stackoverflow.com/questions/32982074/mailman-cgi-error-after-server-restart
-- 

Kai Liu
Ph.D. student
Department of Geography and GeoInformation Science
George Mason University
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription Form Spam -- It continues . . .

[Mark Sapiro]

On 10/07/2015 06:16 AM, br...@emwd.com wrote:
> We keep
> seeing dozens of subscription spam coming in from gmail addresses PER
> MINUTE with the following format:
> 
> kihuotter+59233...@gmail.com
> 
> We have implemented the form secret function that was introduced in
> Mailman 2.16 but it is having no effect on these particular subscription
> requests.


When these first started, enabling SUBSCRIBE_FORM_SECRET would help, but
there were still many that delayed long enough even with
SUBSCRIBE_FORM_MIN_TIME = seconds(8) to get through. Currently, the ones
that hit mail.python.org almost always delay long enough. I just checked
the vette log and we're currently banning about 18,000 attempts per day.

See



> I remember seeing a solution from Mark Sapiro addressing this exact
> issue but I can't seem to find it again.


There are several threads on this in the archives of this list from
August and September, but the above linked post is a good summary.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription Form Spam -- It continues . . .

[Rich Kulawiec]

On Wed, Oct 07, 2015 at 09:16:32AM -0400, br...@emwd.com wrote:
> I have seen another type of subscription form spam pop-up on our
> servers. It is particularly affecting one client that has 80 mailman
> lists and they wish to keep their lists publicly advertised. We keep
> seeing dozens of subscription spam coming in from gmail addresses
> PER MINUTE with the following format:

There are multiple approaches to this:

1.  Look at the logs.  Find out where the subscriptions are coming from,
and firewall out the appropriate network(s) or countries.  (See ipdeny.com
for country IP ranges.)

or

2. If you only expect to receive subscriptions from one or a few countries,
then firewall out the entire world and only allow connections from that
small set.

and/or

3. Use the Spamhaus DROP and EDROP lists in your firewall and drop
*all* inbound traffic from and *all* outbound traffic to those ranges.
This achieves lossless compression.  (This should be done whether you
do 1 or 2 or neither.  It's basic network self-defense.)

and/or

4. Collect all the forged subscriptions and have a chat with the email
people at Gmail.  It's possible that they can do something about this
on their side.  I can put you in touch with someone if need be.

---rsk
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org