nanog mailing list archives

Re: Data Center operations mail list?

From: Jim Popovitch <jimpop () gmail com>
Date: Fri, 14 Aug 2015 15:16:15 -0400

On Wed, Aug 12, 2015 at 8:36 PM, Phill Twiss <phill () daa com au> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

De-lurking

Hi Rafael and everyone else :}( sorry the cross-post )

        You should really have captcha's configured for your mailman lists

        Some shady actors out there are using mailman lists to target certain
email addresses.  Its a pretty dumb attack, but its annoying :}

        The target will be hit by hundreds ( if not thousands ) of subscribe
confirmation requests.

        We changed to captcha's a month or more ago, we still get an average
of 300 od IP's trying to do this in period of a few hours.

        Keep an eye out in your logfiles for some of the strings below ( they
all seem to try to use the same password ), if you have any issues
with getting captcha's to work properly, drop me an email :}

        Below is an sanitised ( list name and target) entry from the Apache
logs ( the IP is real, screw em :} )

64.234.104.150 - - [13/Aug/2015:08:15:54 +0800] "GET
/mailman/subscribe/<<Sanitised list name >>?email=<< Sanitised_TARGET

@YAHOO.COM&fullname=&pw=123456789&pw-conf=123456789&language=en&diges

t=0&email-button=Subscribe
HTTP/1.1"

301 801 "http://tools.vietche.biz/Boom/"; "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"


That's a very old (in Internet Years) Mailman problem that was solved
with session cookies in v2.1.16 (16-Oct-2013).  If you're still
paranoid, and don't want to piss your users off with privacy leaking
captcha, then just set up some referer checking in your apache or
nginx configs:

Apache:

      # Prevent subscription request spam
     SetEnvIf Referer lists\.example\.com localreferer
     <Location /mailman/subscribe>
        Order deny,allow
        Deny from all
        Allow from env=localreferer
     </Location>

Nginx:

        location /mailman/subscribe {
                valid_referers server_names;
                if ($invalid_referer) { return 403; }
        }


-Jim P.

Current thread:

Re: Data Center operations mail list?, (continued)
- - - Re: Data Center operations mail list? Alex Lesser (Aug 20)
    - Re: Data Center operations mail list? Barry Shein (Aug 20)
    - Re: Data Center operations mail list? Rafael Possamai (Aug 21)
    - Re: Data Center operations mail list? Rich Kulawiec (Aug 21)
    - Re: Data Center operations mail list? Mike Hammett (Aug 21)
    - Re: Data Center operations mail list? Rafael Possamai (Aug 21)
    - Re: Data Center operations mail list? Mike Hammett (Aug 21)
    - Re: Data Center operations mail list? Robert Webb (Aug 12)
    - Re: Data Center operations mail list? Rafael Possamai (Aug 12)
    - Re: Data Center operations mail list? Phill Twiss (Aug 13)
    - Re: Data Center operations mail list? Jim Popovitch (Aug 14)
    - Re: Data Center operations mail list? Rafael Possamai (Aug 14)
    - Re: Data Center operations mail list? Rich Kulawiec (Aug 18)
    - Re: Data Center operations mail list? Rafael Possamai (Aug 11)
    - Re: Data Center operations mail list? Robert Webb (Aug 11)
    - Re: Data Center operations mail list? Miles Fidelman (Aug 11)
- Re: Data Center operations mail list? Jared Mauch (Aug 11)
  - Re: Data Center operations mail list? Jay Ashworth (Aug 11)
    - Re: Data Center operations mail list? Simon Lockhart (Aug 11)
    - Re: Data Center operations mail list? Mike (Aug 11)
    - Re: Data Center operations mail list? Rafael Possamai (Aug 11)

(Thread continues...)