Re: [Mailman-Users] Distributed mass subscribe attack?

[Andy Cravens]

On Aug 18, 2017, at 8:36 AM, David Gibbs  wrote:

On 8/17/17 3:47 PM, Andy Cravens wrote:
> I forgot to mention I’m also working on a modsecurity rule to look at
> all POSTs and reject if they contain an email address with a + sign.

I'm interested in both your recaptcha mod & mod_security rule ... please
post (or contact me privately) when you make some progress.

If you're interested in my MM mod, let me know.




After reading the responses concerning the + symbol in email addresses I have 
decided not to block them.  What I did was to implement reCaptcha v1 using the 
instructions here: 

https://www.dragonsreach.it/2014/05/03/adding-recaptcha-support-to-mailman/

When I first looked at this I had made several bad assumptions.  I assumed you 
could not use the reCaptcha v2 keys with v1.  The new keys work fine with v1.  
I had to apply the patch manually by editing the files and inserting the new 
code.  It wasn’t a big deal.   I still plan on looking at implementing v2 
sometime this year if I can find some free time.  Also plan on creating the 
modsecurity rules mentioned earlier.  Another modsecurity rule I want to create 
is to watch for outgoing replies that indicate a failed login attempt and take 
action if conditions warrant.  I will post my rules when I have tested and 
verified they work.

—
Andy
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Richard Shetron]

On 8/18/2017 1:52 PM, Grant Taylor via Mailman-Users wrote:

On 08/18/2017 11:07 AM, Phil Stracchino wrote:

I second this.  It is a legitimate part of compliant email addresses, no
matter how many web stores seem to believe otherwise (or are merely
unaware of it).


I third this.

I love user+detail but HATE that poorly designed web forms balk at +, 
and have been forced to do something else for user+detail like 
functionality.


I also agree with allowing the +.  I run my own mail server and now that 
postfix allows defining more then one tag character, I've added _ so I 
can tag with both + and _.  The sites rejecting RFC compliant addresses 
are very annoying.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Grant Taylor via Mailman-Users]

On 08/18/2017 11:07 AM, Phil Stracchino wrote:

I second this.  It is a legitimate part of compliant email addresses, no
matter how many web stores seem to believe otherwise (or are merely
unaware of it).


I third this.

I love user+detail but HATE that poorly designed web forms balk at +, 
and have been forced to do something else for user+detail like 
functionality.




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Phil Stracchino]

On 08/18/17 12:25, tlhackque via Mailman-Users wrote:
> On 17-Aug-17 16:47, Andy Cravens wrote:
>>
>>
>> David,
>>
>> I forgot to mention I’m also working on a modsecurity rule to look at all 
>> POSTs
>> and reject if they contain an email address with a + sign.
>>
> I understand the drive to suppress an attack.  However, + is valid in
> e-mail addresses.  It's frequently used by people to setup auto-filing
> rules, and/or to track the source of addresses harvested for SPAM.
> 
> I strongly discourage any service provider from defining what formats of
> e-mail addresses are acceptable.  Such definitions, however
> well-intentioned, are almost always wrong - and effectively blindly deny
> service.

I second this.  It is a legitimate part of compliant email addresses, no
matter how many web stores seem to believe otherwise (or are merely
unaware of it).

> If an address is valid per RFC822 (2822,5322, ...), accept it.

This.

> No matter what you do, the spammers will adapt, eventually.  But unless
> you're a particularly appealing target, they're likely to move on if you
> do almost anything unusual.

One of your best first lines of defense is don't be the low-hanging fruit.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[tlhackque via Mailman-Users]

On 17-Aug-17 16:47, Andy Cravens wrote:
>
>
> David,
>
> I forgot to mention I’m also working on a modsecurity rule to look at all 
> POSTs
> and reject if they contain an email address with a + sign.
>
I understand the drive to suppress an attack.  However, + is valid in
e-mail addresses.  It's frequently used by people to setup auto-filing
rules, and/or to track the source of addresses harvested for SPAM.

I strongly discourage any service provider from defining what formats of
e-mail addresses are acceptable.  Such definitions, however
well-intentioned, are almost always wrong - and effectively blindly deny
service.

We've seen this with hardcoded lists of TLDs (there'll never be more
than 13.  + CC TLDs. + IDN + freemarket...).  And every variety of
mailbox name format restriction - character set, length, "bad words", ...

If an address is valid per RFC822 (2822,5322, ...), accept it.

But by all means use other approaches to suppress attacks.  Captchas are
probably your best shot.  Rate limiting can help.  You can use
(imperfect) filtering by geolocating by IP address - if your client base
doesn't include the whole world.   Other tricks include telling the user
to wait a minute or two before clicking submit; discard or require
re-submission of early responses.  Bots won't do that. 

No matter what you do, the spammers will adapt, eventually.  But unless
you're a particularly appealing target, they're likely to move on if you
do almost anything unusual.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[David Gibbs]

On 8/17/17 3:47 PM, Andy Cravens wrote:

I forgot to mention I’m also working on a modsecurity rule to look at
all POSTs and reject if they contain an email address with a + sign.


I'm interested in both your recaptcha mod & mod_security rule ... please
post (or contact me privately) when you make some progress.

If you're interested in my MM mod, let me know.

david



--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 65 miles) in the American Diabetes
Association's Tour de Cure to raise money for diabetes research,
education, advocacy, and awareness.  You can make a tax deductible
donation to my ride by visiting http://gmane.diabetessucks.net.  My goal
is $6000 but any amount is appreciated.

You can see where my donations come from by visiting my interactive
donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Andy Cravens]

On 8/8/2017 12:22 PM, David Gibbs wrote:
> Anyone else noticing a distributed mass subscribe attack going on
> their lists?
> 
> I've noticed a massive number of attempts a small subset of email
> addresses, with modifiers (address+modif...@example.com), going on.
> 
> It appears the address is valid ... so it appears to be some kind of
> hit job to flood someone's inbox.

FWIW: I did a bit of hacking (super simple) and think I've found a way to 
thwart the attempt (at least on my server).

It appears that the bot that's doing the attack first gets the subscribe form, 
so it can retrieve the sub_form_token value, before it does a POST to do the 
subscribe.

I changed the subscribe & listinfo scripts to use a different name for the 
sub_form_token field.  Something unique to my system.

I've seen a lot of GETS & POSTS from the hosts that were doing the attack and 
no subscribe's logged.

david




David,

I forgot to mention I’m also working on a modsecurity rule to look at all POSTs 
and reject if they contain an email address with a + sign.

—
Andy
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Andy Cravens]

On 8/8/2017 12:22 PM, David Gibbs wrote:
> Anyone else noticing a distributed mass subscribe attack going on
> their lists?
> 
> I've noticed a massive number of attempts a small subset of email
> addresses, with modifiers (address+modif...@example.com), going on.
> 
> It appears the address is valid ... so it appears to be some kind of
> hit job to flood someone's inbox.

"FWIW: I did a bit of hacking (super simple) and think I've found a way to 
thwart the attempt (at least on my server).

It appears that the bot that's doing the attack first gets the subscribe form, 
so it can retrieve the sub_form_token value, before it does a POST to do the 
subscribe.

I changed the subscribe & listinfo scripts to use a different name for the 
sub_form_token field.  Something unique to my system."




I have the same issues.  Thank you for the info above.  I’m also working on a 
patch for reCaptcha V2.  Don’t know if I’ll have it done this month.

—
Andy
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[David Gibbs]

On 8/8/2017 12:22 PM, David Gibbs wrote:

Anyone else noticing a distributed mass subscribe attack going on
their lists?

I've noticed a massive number of attempts a small subset of email
addresses, with modifiers (address+modif...@example.com), going on.

It appears the address is valid ... so it appears to be some kind of
hit job to flood someone's inbox.


FWIW: I did a bit of hacking (super simple) and think I've found a way to 
thwart the attempt (at least on my server).

It appears that the bot that's doing the attack first gets the subscribe form, 
so it can retrieve the sub_form_token value, before it does a POST to do the 
subscribe.

I changed the subscribe & listinfo scripts to use a different name for the 
sub_form_token field.  Something unique to my system.

I've seen a lot of GETS & POSTS from the hosts that were doing the attack and 
no subscribe's logged.

david



--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 65 miles) in the American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax deductible donation to my ride by 
visiting http://gmane.diabetessucks.net.  My goal is $6000 but any amount is 
appreciated.

You can see where my donations come from by visiting my interactive donation 
map ... http://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Mark Sapiro]

On 08/08/2017 10:22 AM, David Gibbs wrote:
> 
> Anyone else noticing a distributed mass subscribe attack going on their
> lists?
> 
> I've noticed a massive number of attempts a small subset of email
> addresses, with modifiers (address+modif...@example.com), going on.
> 
> It appears the address is valid ... so it appears to be some kind of hit
> job to flood someone's inbox.
> 
> Luckily the address's are trivial to block using 'ban_list'.


I've seen this on mail.python.org in the past but not recently. Both the
form you mention and a local-p...@gmail.com form with dots interspersed
in the local part (which gmail ignores). I agree that it appears to be
some kind of hit job to flood someone's inbox.

It is this kind of attack that motivated the GLOBAL_BAN_LIST feature in
MM 2.1.21.

What I've seen recently is massive non-member posts in chinese to
maulman-us...@mailman3.org from addresses of the form
string_of_dig...@qq.com and some at 163.com. After waking up to 2000+
held message notifications a while back, I now block these with a
Postfix header_checks rule

/^From:.*<.*[0-9]{4}.*@(qq|163)\.com>/ REJECT Go away you F*ing mail bomber

I am still seeing a few from various @163.com addresses, but I am now
(temporarily?) discarding non-member posts, so I only see them in logs
if I look.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Distributed mass subscribe attack?

[Barry S. Finkel]

On 8/8/2017 12:22 PM, David Gibbs wrote:

Folks:

Anyone else noticing a distributed mass subscribe attack going on their 
lists?


I've noticed a massive number of attempts a small subset of email 
addresses, with modifiers (address+modif...@example.com), going on.


It appears the address is valid ... so it appears to be some kind of hit 
job to flood someone's inbox.


Luckily the address's are trivial to block using 'ban_list'.

The hosts they are using appear to be from all over the place, although 
they do seem to be favoring hosts serviced by virtua.com.br.


david





I would report this to  mail-ab...@cert.br .

--Barry Finkel
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Distributed mass subscribe attack?

[David Gibbs]

Folks:

Anyone else noticing a distributed mass subscribe attack going on their lists?

I've noticed a massive number of attempts a small subset of email addresses, 
with modifiers (address+modif...@example.com), going on.

It appears the address is valid ... so it appears to be some kind of hit job to 
flood someone's inbox.

Luckily the address's are trivial to block using 'ban_list'.

The hosts they are using appear to be from all over the place, although they do 
seem to be favoring hosts serviced by virtua.com.br.

david


--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 65 miles) in the American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax deductible donation to my ride by 
visiting http://gmane.diabetessucks.net.  My goal is $6000 but any amount is 
appreciated.

You can see where my donations come from by visiting my interactive donation 
map ... http://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org