[SAC] Subscription flood at finland list

Hi,

I manage the osgeo finland list with Pekka Sarkola. During the last 24 hours there has been over one hundred subscription attempts to the list from email addresses, which are more or less obviously fake.

I think the flood started with an email

I think I am being maliciously added to your list

Sent from my iPad

from "Michael Brock" (mikeandjanet@icloud.com) who was not subscribed when I looked at the list membership list. I did not answer to that email.

I've so far discarded all requests and permanently banned the addresses (see below) from the list.

I'm thinking about temporarily disabling subscriptions - Is it possible? I'm getting subscription requests sporadically every 10 minutes or so.

I've just set the subscription to require both confirm and approve - maybe that helps, I'm not sure.

Has anybody experience with this kind of issue?

Best,

Ari

scholeslj@blueyonder.co.uk
ruthenion@hotmail.com
dhrituc@cashcanada.com
csimms7@carolina.rr.com
htatiparthi@yahoo.com
AlisonAdams@comcast.net
riverrattip@yahoo.com
mullinsm@clearwire.net
fredbaisden@tds.net
egsimpson60@comcast.net
tjfitz@verizon.net
cfisher@vrfmail.com
tlangevin74@yahoo.com
ednhal@buckeye-express.com
nnstrawberry03@hotmail.com
jbryant142@tampabay.rr.com
callmekris@nc.rr.com
brianwoodard@charter.net
cesargastelum@sbcglobal.net
blkoaklabs@aol.com
tna215@adelphia.net
menayoub3@gmail.com
tshaw@wmgllc.com
dpotz@bak.rr.com
menaa@auamed.net
metaxas@hvc.rr.com
Loera_matt03@yahoo.com
arthursmichelle@hotmail.com
sjpersonal@ca.rr.com
rdevereaux@austin.rr.com
debbiedalton@lauriedalton.com
skroustalis@triad.rr.com
gjbowden@sc.rr.com
lyoung911@aol.com
jamie_m_16@hotmail.com
fluffy62@sbcglobal.net
carlywhite7@msn.com
lynda@intecoffice.co.uk
peggy2003@san.rr.com

Hi Ari,

On Tue, Nov 24, 2015 at 11:18 PM, Ari Jolma <ari.jolma@gmail.com> wrote:

Hi,

I manage the osgeo finland list with Pekka Sarkola. During the last 24 hours
there has been over one hundred subscription attempts to the list from email
addresses, which are more or less obviously fake.

Yes, I see them in the logs.

They use some mailman hole I believe:

lists_ssl_access.log:14.177.51.185 - - [24/Nov/2015:06:55:01 -0800]
"GET /mailman/subscribe/fdo-commits?email=nnstrawberry03@hotmail.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe
HTTP/1.1" 200 1101 "http://50.87.144.16/~timvui/boom/&quot; "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0"
...
(several thousand log entries like that).

I have now tuned my fail2ban filter for that. According to

tail -f /var/log/apache2/lists_ssl_access.log
and
tail -f /var/log/fail2ban.log

it works now:

2015-11-25 00:24:25,743 fail2ban.actions[3142]: WARNING
[apache-mailman] Ban 42.118.196.185
2015-11-25 00:24:25,752 fail2ban.actions[3142]: WARNING
[apache-mailman] Ban 14.215.227.66
2015-11-25 00:24:25,760 fail2ban.actions[3142]: INFO
[apache-mailman] 42.118.196.185 already banned
2015-11-25 00:24:26,762 fail2ban.actions[3142]: INFO
[apache-mailman] 42.118.196.185 already banned
...

Let me know if the mess continues. We are under some attack at time,
also the Wiki site.

Best
Markus

--
http://consulting.neteler.org
http://gis.cri.fmach.it/neteler/
http://courses.neteler.org/blog

Hi,

Thanks! It seems flood is now over. We might clean list with Ari later on (manually, about 10+ false emails).

Rgs,

Pekka