[183119] in North American Network Operators' Group
Re: Data Center operations mail list?
daemon@ATHENA.MIT.EDU (Jim Popovitch)
Fri Aug 14 15:19:30 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <55CBE688.20802@daa.com.au>
Date: Fri, 14 Aug 2015 15:16:15 -0400
From: Jim Popovitch <jimpop@gmail.com>
To: Phill Twiss <phill@daa.com.au>, Rafael Possamai <rafael@gav.ufsc.br>,
Robert Webb <rwebb@ropeguru.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Aug 12, 2015 at 8:36 PM, Phill Twiss <phill@daa.com.au> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> De-lurking
>
> Hi Rafael and everyone else :}( sorry the cross-post )
>
> You should really have captcha's configured for your mailman lists
>
> Some shady actors out there are using mailman lists to target certain
> email addresses. Its a pretty dumb attack, but its annoying :}
>
> The target will be hit by hundreds ( if not thousands ) of subscribe
> confirmation requests.
>
> We changed to captcha's a month or more ago, we still get an average
> of 300 od IP's trying to do this in period of a few hours.
>
> Keep an eye out in your logfiles for some of the strings below ( they
> all seem to try to use the same password ), if you have any issues
> with getting captcha's to work properly, drop me an email :}
>
> Below is an sanitised ( list name and target) entry from the Apache
> logs ( the IP is real, screw em :} )
>
> 64.234.104.150 - - [13/Aug/2015:08:15:54 +0800] "GET
> /mailman/subscribe/<<Sanitised list name >>?email=<< Sanitised_TARGET
>>> @YAHOO.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&diges
> t=0&email-button=Subscribe
> HTTP/1.1"
>>>
> 301 801 "http://tools.vietche.biz/Boom/" "Mozilla/5.0
> (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
That's a very old (in Internet Years) Mailman problem that was solved
with session cookies in v2.1.16 (16-Oct-2013). If you're still
paranoid, and don't want to piss your users off with privacy leaking
captcha, then just set up some referer checking in your apache or
nginx configs:
Apache:
# Prevent subscription request spam
SetEnvIf Referer lists\.example\.com localreferer
<Location /mailman/subscribe>
Order deny,allow
Deny from all
Allow from env=localreferer
</Location>
Nginx:
location /mailman/subscribe {
valid_referers server_names;
if ($invalid_referer) { return 403; }
}
-Jim P.
