[MM3-users] Re: possible backscatter attack using Mailman3 servers

Fri, 03 Jan 2025 18:31:13 -0800 



On 1/3/25 5:44 PM, Mark Sapiro wrote:


Greetings. On a system running Mailman 3.3.9 and Postfix, I'm seeing 
about 20-30 entries per day in the Postfix queue where it appears a 
Gmail user signs up for a mailing list that requires confirmation, and 
Gmail responds that the user is too busy to handle requests.



There are no publicly advertised email lists on this server, and I 
don't ever see anything in the Mailman logs indicating the user ever 
tried signing up.




This is an attack mail bombing the user. The requests that result in the 
can come via web or email. Mailman's logging of subscribes has been 
missing most events through Mailman 3.3.10. See https://gitlab.com/ 
mailman/mailman/-/issues/1143 which will be fixed in 3.3.11, but 
subscribes waiting user confirmation still won't be logged.



However, the message with subject "Please Confirm Your Email Address" 
comes from Django allauth so it isn't actually Mailman sending it but 
rather Django allauth as a result of a request to sign up for a Django 
account at https://mail.example3.com/accounts/signup/. You can probably 
find that request in your web server logs, and you may find the user 
and/or email in the Django admin UI.


Thanks VERY much for this.


No such users in the Django UI, but the web server logs have 252 
attempts from 132 unique IPv4 addresses registered to different ISPs 
throughout Europe.



So, even though Mailman support for more detailed logging of sub and 
unsub requests would be useful, it likely would not have helped with 
attacks from many source IP addresses.




Since django-mailman3 1.3.6, you can disable these signups by putting

ACCOUNT_ADAPTER = 'django_mailman3.views.user_adapter.DisableSignupAdapter'


in your Django settings, but then your users won't be able to sign up 
for web accounts.



I have made this change. As for not having web accounts, this just means 
new users cannot sign up to manage their Mailman settings, correct? I 
presume existing web accounts will continue to work.


Thanks again!

dn

_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at: 
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/GPPA6D4QYJSIX7RLHYUC6OJC2W35YFGS/

This message sent to arch...@mail-archive.com






















					Reply via email to