[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 08/18/21 15:15, David Gibbs via Mailman-Users wrote: > Is anyone else seeing requests to their mailman install that look > something like this: > > Aug 18 15:10:16 2021 (31166) Hostile listname: > listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: > remote=52.34.76.65 What log is that from? I don't recognize the format. Jon Baron writes: > I'm pretty sure that this comes from Proofpoint's "URL Defense" > system. (Google it.) Argh. > But I don't understand what you mean by "hostile > listname" being "correct". He means that "midrange-l" is the name of an active list at his site, I'm pretty sure. > What comes before the __ is usually a URL, and there is also a __ > BEFORE the url begins. If you use a graphical mail client (like > gmail), [and] click the url that you see, Proofpoint will check it > to see if it is on a list of nasty sites. host(1) says the source or the request is AWS. :-/ None of this explains why the URL is targeting David's Mailman, unless it's the Mailman host that is running the Proofpoint. (It's not your job ;-), but any further hints would be appreciates. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
I'm pretty sure that this comes from Proofpoint's "URL Defense" system. (Google it.) But I don't understand what you mean by "hostile listname" being "correct". What comes before the __ is usually a URL, and there is also a __ BEFORE the url begins. If you use a graphical mail client (like gmail), you don't see this extra junk, but if you click the url that you see, Proofpoint will check it to see if it is on a list of nasty sites. If you want to see the URL alone with a text client (like mutt), I suggest running all messages through .procmailrc with this recipe: :0 f | /usr/bin/sed -e "s/__/ /g" This will replace __ with spaces, leaving the url itself standing alone. Jon On 08/18/21 15:15, David Gibbs via Mailman-Users wrote: > Folks: > > Is anyone else seeing requests to their mailman install that look > something like this: > > Aug 18 15:10:16 2021 (31166) Hostile listname: > listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: > remote=52.34.76.65 > > Basically, the list name is correct, but the added "__;!NV..." makes > it invalid. > > The pattern is rather consistent ... "__;!NV" followed by a bunch of > garbage. > > Thanks! > > David > -- > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ >https://mail.python.org/archives/list/mailman-users@python.org/ -- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org) -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Web requests with garbage at the end of the list name
On 8/18/2021 1:15 PM, David Gibbs via Mailman-Users wrote: The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage. I don't recognize the encoding, but that looks like someone is trying an SQL injection attack. I could also be wrong. z! -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Web requests with garbage at the end of the list name
Folks: Is anyone else seeing requests to their mailman install that look something like this: Aug 18 15:10:16 2021 (31166) Hostile listname: listname=midrange-l__;!!NVq9dfhzMyHqTw!wLl-dt8zxsuQuoyojs-UYmT_d65WZroClHaYGfHduJ561eT0B7baTQV1ogZzQKRRsw$: remote=52.34.76.65 Basically, the list name is correct, but the added "__;!NV..." makes it invalid. The pattern is rather consistent ... "__;!NV" followed by a bunch of garbage. Thanks! David -- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net. You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing). -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/