[mailop] Mailman confirmation email denial of service

Wed, 19 Aug 2020 02:59:59 -0700 

Hi,

Not sure if this is the best place to mention this, but…

Since yesterday I've been seeing a large number of attempted
subscriptions to all the public lists on one of my Mailman servers.
There's so far been 160 attempted subscriptions for 69 unique email addresses.

These addresses never complete the process to sign up, and indeed
email delivery to many of these addresses is currently temporarily
rejected as they are receiving emails at too high a rate.

It seems a botnet is being used as I have never seen the same IP
address twice.

Another Mailman operator has confirmed seeing the same thing.

Therefore I think it is an attack on these addresses.

All of the subscription requests are coming in with a UserAgent of
"axios/0.19.2". I have for now blocked this in my web server:

<Location /mailman>
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT}  ^axios/.*$
    RewriteRule . - [R=403,L]
</Location>

If you operate a public Mailman server could you have a look to see
if you are seeing the same? You'll find the evidence in
/var/log/mailman/subscribe.

Example (recipient addresses md5'd):

$ awk '/pending/ { cmd="printf \"%s\" " $8 " | md5sum"; cmd | getline $8; 
close(cmd); sub(/.*/, "[list name censored]", $6); print}' 
/var/log/mailman/subscribe | tail -5
Aug 19 09:05:56 2020 (21116) [list name censored] pending 
a07afd1bfcfa887cca02771a79189431  - 172.84.98.53
Aug 19 09:05:57 2020 (21122) [list name censored] pending 
a07afd1bfcfa887cca02771a79189431  - 184.174.11.53
Aug 19 09:05:57 2020 (21124) [list name censored] pending 
a07afd1bfcfa887cca02771a79189431  - 185.202.170.223
Aug 19 09:06:09 2020 (21177) [list name censored] pending 
ebe3c108d3f41d87f6456b6d4359c823  - 172.84.102.36
Aug 19 09:08:39 2020 (21565) [list name censored] pending 
0936c0d3b570f0845537de1eb9789a37  - 66.78.3.85

All recipient addresses (before I began blocking UserAgent):

$ awk '/pending/ { cmd="printf \"%s\" " $8 " | md5sum"; cmd | getline $8; 
close(cmd); print $8 }' /var/log/mailman/subscribe | sort | uniq -c | sort -rn
     14 8161d22688eab8dd557aec1fd32192b7  -
      8 0936c0d3b570f0845537de1eb9789a37  -
      7 c9ca6e991f6461cbd8d115fbe6380e47  -
      5 c4649ec87dc14ee8550f4ab6b56c395f  -
      5 ac76963e5de8711568f79424739a3614  -
      5 54d12876511dcf424a55ba881b69cfa2  -
      4 c7893db6c6c9c1465574a9952adaa684  -
      4 bbd24b613c263873a291d71fd0da42cc  -
      4 7f7f269d8e25771cd57c0c2057bf8108  -
      4 7c5017c295ee3bcc86b7e4d16bb3082d  -
      4 765cc7997918a94ef34488aba6c1285f  -
      4 166fcf0be322450a6431697b8824051e  -
      3 e583bba192b22c905b089212ec3ab273  -
      3 cfc87d3ff9bda35c7738a8207f8756bb  -
      3 afbdc9f682c1ccaa9d73472e2bb9ce84  -
      3 a07afd1bfcfa887cca02771a79189431  -
      3 9a31e6d055587bd6b03d0c5ec81d77e4  -
      3 5402c9a8bcc42efa2667d3a43bd67078  -
      3 3030407a3a897cb79e2ed350866cc4f0  -
      3 2612d28cc89294aae069f3bdf4ae0bc7  -
      3 13e7e846656d605bc26afc935957da49  -
      3 02d759ac00b28334a5a27c7d4966fa0c  -
      2 de885653164791c188df08938d3eab4f  -
      2 d82855512801812fc9cd1d712cabbe04  -
      2 cf3bacbbe20ae82bcbede4c4675d25b1  -
      2 abfa3d2d44fdb01968c71a53c831b63a  -
      2 a126fbb2943014ee8b83c0528c4268b0  -
      2 8e55bb116db60aa8471fc1963af47ea0  -
      2 8de0f2101d30824b69a7fdc722618788  -
      2 83009a39ad539c5f4bf4834b183a64a8  -
      2 7d03bb47cf4b3c8b6b15642c763db0d5  -
      2 7651e956a277ac1d99b4674d1487e3d4  -
      2 6223d356c35aaa83be84c42ac9238e74  -
      2 621ddceaf6597852c759972182c4f2b0  -
      2 4fd4978b6fe1532e15c6065639f250f9  -
      2 33e8f72c55972a3abd99ed6bbb275908  -
      2 002e30ac2ab27d71e1537732bf5ec06a  -
      1 fc72b374118632fbcc9b103576d7116a  -
      1 ee6a466e102955a30b0755475aecd428  -
      1 ebe3c108d3f41d87f6456b6d4359c823  -
      1 e994183f82914185c64ea77cbf5813bf  -
      1 e4d098bf23c0e54e40204ae19ba152f5  -
      1 e13cea6a5e0029d0a81386379fb667ee  -
      1 e0fa296312878799163d64b7f3e21a21  -
      1 d7d8a2d5cda933e8ce9519eb6402045c  -
      1 c992da7f3c2b27efbd146bd8d7c49932  -
      1 b7d933864c828d85038d69fee742d310  -
      1 b5c5a396b7af663a84a33fbde5f77bf9  -
      1 a3bb7c13d4c49d2663f7dd326d430d31  -
      1 9cfbec2403dd0b8758f093b6b0a30cf6  -
      1 98d9a7d3f944e82d6c6588368db7507a  -
      1 95307643368b4d98e50457face2d42bc  -
      1 8ba8b7e7c8874d3d63de1cee41554b76  -
      1 8b223b75d776b5bea5a9d6a7361b4d72  -
      1 8a5c52712e08a0e2935ca551e9e96f43  -
      1 79c243bf642d93f2085998a34f0e65e5  -
      1 636e733b271e235f93ce7d6ccb884c5d  -
      1 5b4793e014272d407a9fe290d3af55ae  -
      1 56874f5e5aeb1b2c30987e0673cc4b28  -
      1 510c89c867efa31d55354e7b4027c27f  -
      1 4b1706c92ff7efb75fddbbccc1f20072  -
      1 45fa4a3011359401a7387309ba7d4f11  -
      1 4412e075e9c3fd688456d4434418cadf  -
      1 285b450cc4d8eb088076eebb187ef915  -
      1 278dc6425dc8a8e5aa1e31c72ce78ed2  -
      1 2715a83b40bcf10d387c1add8bdb619f  -
      1 1339e82134c0da41a0d4e47e09ccfa11  -
      1 10e07e9a1678d5d6a0cea12734bc2823  -
      1 06ed53c37ed98e38c0e876e86eade551  -

Cheers,
Andy

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to