Re: [Mailman-Users] Distributed mass subscribe attack?
On Aug 18, 2017, at 8:36 AM, David Gibbswrote: On 8/17/17 3:47 PM, Andy Cravens wrote: > I forgot to mention I’m also working on a modsecurity rule to look at > all POSTs and reject if they contain an email address with a + sign. I'm interested in both your recaptcha mod & mod_security rule ... please post (or contact me privately) when you make some progress. If you're interested in my MM mod, let me know. After reading the responses concerning the + symbol in email addresses I have decided not to block them. What I did was to implement reCaptcha v1 using the instructions here: https://www.dragonsreach.it/2014/05/03/adding-recaptcha-support-to-mailman/ When I first looked at this I had made several bad assumptions. I assumed you could not use the reCaptcha v2 keys with v1. The new keys work fine with v1. I had to apply the patch manually by editing the files and inserting the new code. It wasn’t a big deal. I still plan on looking at implementing v2 sometime this year if I can find some free time. Also plan on creating the modsecurity rules mentioned earlier. Another modsecurity rule I want to create is to watch for outgoing replies that indicate a failed login attempt and take action if conditions warrant. I will post my rules when I have tested and verified they work. — Andy -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/18/2017 1:52 PM, Grant Taylor via Mailman-Users wrote: On 08/18/2017 11:07 AM, Phil Stracchino wrote: I second this. It is a legitimate part of compliant email addresses, no matter how many web stores seem to believe otherwise (or are merely unaware of it). I third this. I love user+detail but HATE that poorly designed web forms balk at +, and have been forced to do something else for user+detail like functionality. I also agree with allowing the +. I run my own mail server and now that postfix allows defining more then one tag character, I've added _ so I can tag with both + and _. The sites rejecting RFC compliant addresses are very annoying. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 08/18/2017 11:07 AM, Phil Stracchino wrote: I second this. It is a legitimate part of compliant email addresses, no matter how many web stores seem to believe otherwise (or are merely unaware of it). I third this. I love user+detail but HATE that poorly designed web forms balk at +, and have been forced to do something else for user+detail like functionality. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 08/18/17 12:25, tlhackque via Mailman-Users wrote: > On 17-Aug-17 16:47, Andy Cravens wrote: >> >> >> David, >> >> I forgot to mention I’m also working on a modsecurity rule to look at all >> POSTs >> and reject if they contain an email address with a + sign. >> > I understand the drive to suppress an attack. However, + is valid in > e-mail addresses. It's frequently used by people to setup auto-filing > rules, and/or to track the source of addresses harvested for SPAM. > > I strongly discourage any service provider from defining what formats of > e-mail addresses are acceptable. Such definitions, however > well-intentioned, are almost always wrong - and effectively blindly deny > service. I second this. It is a legitimate part of compliant email addresses, no matter how many web stores seem to believe otherwise (or are merely unaware of it). > If an address is valid per RFC822 (2822,5322, ...), accept it. This. > No matter what you do, the spammers will adapt, eventually. But unless > you're a particularly appealing target, they're likely to move on if you > do almost anything unusual. One of your best first lines of defense is don't be the low-hanging fruit. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 17-Aug-17 16:47, Andy Cravens wrote: > > > David, > > I forgot to mention I’m also working on a modsecurity rule to look at all > POSTs > and reject if they contain an email address with a + sign. > I understand the drive to suppress an attack. However, + is valid in e-mail addresses. It's frequently used by people to setup auto-filing rules, and/or to track the source of addresses harvested for SPAM. I strongly discourage any service provider from defining what formats of e-mail addresses are acceptable. Such definitions, however well-intentioned, are almost always wrong - and effectively blindly deny service. We've seen this with hardcoded lists of TLDs (there'll never be more than 13. + CC TLDs. + IDN + freemarket...). And every variety of mailbox name format restriction - character set, length, "bad words", ... If an address is valid per RFC822 (2822,5322, ...), accept it. But by all means use other approaches to suppress attacks. Captchas are probably your best shot. Rate limiting can help. You can use (imperfect) filtering by geolocating by IP address - if your client base doesn't include the whole world. Other tricks include telling the user to wait a minute or two before clicking submit; discard or require re-submission of early responses. Bots won't do that. No matter what you do, the spammers will adapt, eventually. But unless you're a particularly appealing target, they're likely to move on if you do almost anything unusual. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/17/17 3:47 PM, Andy Cravens wrote: I forgot to mention I’m also working on a modsecurity rule to look at all POSTs and reject if they contain an email address with a + sign. I'm interested in both your recaptcha mod & mod_security rule ... please post (or contact me privately) when you make some progress. If you're interested in my MM mod, let me know. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net. My goal is $6000 but any amount is appreciated. You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/8/2017 12:22 PM, David Gibbs wrote: > Anyone else noticing a distributed mass subscribe attack going on > their lists? > > I've noticed a massive number of attempts a small subset of email > addresses, with modifiers (address+modif...@example.com), going on. > > It appears the address is valid ... so it appears to be some kind of > hit job to flood someone's inbox. FWIW: I did a bit of hacking (super simple) and think I've found a way to thwart the attempt (at least on my server). It appears that the bot that's doing the attack first gets the subscribe form, so it can retrieve the sub_form_token value, before it does a POST to do the subscribe. I changed the subscribe & listinfo scripts to use a different name for the sub_form_token field. Something unique to my system. I've seen a lot of GETS & POSTS from the hosts that were doing the attack and no subscribe's logged. david David, I forgot to mention I’m also working on a modsecurity rule to look at all POSTs and reject if they contain an email address with a + sign. — Andy -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/8/2017 12:22 PM, David Gibbs wrote: > Anyone else noticing a distributed mass subscribe attack going on > their lists? > > I've noticed a massive number of attempts a small subset of email > addresses, with modifiers (address+modif...@example.com), going on. > > It appears the address is valid ... so it appears to be some kind of > hit job to flood someone's inbox. "FWIW: I did a bit of hacking (super simple) and think I've found a way to thwart the attempt (at least on my server). It appears that the bot that's doing the attack first gets the subscribe form, so it can retrieve the sub_form_token value, before it does a POST to do the subscribe. I changed the subscribe & listinfo scripts to use a different name for the sub_form_token field. Something unique to my system." I have the same issues. Thank you for the info above. I’m also working on a patch for reCaptcha V2. Don’t know if I’ll have it done this month. — Andy -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/8/2017 12:22 PM, David Gibbs wrote: Anyone else noticing a distributed mass subscribe attack going on their lists? I've noticed a massive number of attempts a small subset of email addresses, with modifiers (address+modif...@example.com), going on. It appears the address is valid ... so it appears to be some kind of hit job to flood someone's inbox. FWIW: I did a bit of hacking (super simple) and think I've found a way to thwart the attempt (at least on my server). It appears that the bot that's doing the attack first gets the subscribe form, so it can retrieve the sub_form_token value, before it does a POST to do the subscribe. I changed the subscribe & listinfo scripts to use a different name for the sub_form_token field. Something unique to my system. I've seen a lot of GETS & POSTS from the hosts that were doing the attack and no subscribe's logged. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net. My goal is $6000 but any amount is appreciated. You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 08/08/2017 10:22 AM, David Gibbs wrote: > > Anyone else noticing a distributed mass subscribe attack going on their > lists? > > I've noticed a massive number of attempts a small subset of email > addresses, with modifiers (address+modif...@example.com), going on. > > It appears the address is valid ... so it appears to be some kind of hit > job to flood someone's inbox. > > Luckily the address's are trivial to block using 'ban_list'. I've seen this on mail.python.org in the past but not recently. Both the form you mention and a local-p...@gmail.com form with dots interspersed in the local part (which gmail ignores). I agree that it appears to be some kind of hit job to flood someone's inbox. It is this kind of attack that motivated the GLOBAL_BAN_LIST feature in MM 2.1.21. What I've seen recently is massive non-member posts in chinese to maulman-us...@mailman3.org from addresses of the form string_of_dig...@qq.com and some at 163.com. After waking up to 2000+ held message notifications a while back, I now block these with a Postfix header_checks rule /^From:.*<.*[0-9]{4}.*@(qq|163)\.com>/ REJECT Go away you F*ing mail bomber I am still seeing a few from various @163.com addresses, but I am now (temporarily?) discarding non-member posts, so I only see them in logs if I look. -- Mark SapiroThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/8/2017 12:22 PM, David Gibbs wrote: Folks: Anyone else noticing a distributed mass subscribe attack going on their lists? I've noticed a massive number of attempts a small subset of email addresses, with modifiers (address+modif...@example.com), going on. It appears the address is valid ... so it appears to be some kind of hit job to flood someone's inbox. Luckily the address's are trivial to block using 'ban_list'. The hosts they are using appear to be from all over the place, although they do seem to be favoring hosts serviced by virtua.com.br. david I would report this to mail-ab...@cert.br . --Barry Finkel -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Distributed mass subscribe attack?
Folks: Anyone else noticing a distributed mass subscribe attack going on their lists? I've noticed a massive number of attempts a small subset of email addresses, with modifiers (address+modif...@example.com), going on. It appears the address is valid ... so it appears to be some kind of hit job to flood someone's inbox. Luckily the address's are trivial to block using 'ban_list'. The hosts they are using appear to be from all over the place, although they do seem to be favoring hosts serviced by virtua.com.br. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net. My goal is $6000 but any amount is appreciated. You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org