[SAC] Subscription flood at finland list

Markus Neteler neteler at osgeo.org
Wed Nov 25 00:28:32 PST 2015


Hi Ari,

On Tue, Nov 24, 2015 at 11:18 PM, Ari Jolma <ari.jolma at gmail.com> wrote:
> Hi,
>
> I manage the osgeo finland list with Pekka Sarkola. During the last 24 hours
> there has been over one hundred subscription attempts to the list from email
> addresses, which are more or less obviously fake.

Yes, I see them in the logs.

They use some mailman hole I believe:

lists_ssl_access.log:14.177.51.185 - - [24/Nov/2015:06:55:01 -0800]
"GET /mailman/subscribe/fdo-commits?email=nnstrawberry03 at hotmail.com&fullname=&pw=123456789&pw-conf=123456789&language=en&digest=0&email-button=Subscribe
HTTP/1.1" 200 1101 "http://50.87.144.16/~timvui/boom/" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0"
...
(several thousand log entries like that).

I have now tuned my fail2ban filter for that. According to

tail -f /var/log/apache2/lists_ssl_access.log
and
tail -f /var/log/fail2ban.log

it works now:

2015-11-25 00:24:25,743 fail2ban.actions[3142]: WARNING
[apache-mailman] Ban 42.118.196.185
2015-11-25 00:24:25,752 fail2ban.actions[3142]: WARNING
[apache-mailman] Ban 14.215.227.66
2015-11-25 00:24:25,760 fail2ban.actions[3142]: INFO
[apache-mailman] 42.118.196.185 already banned
2015-11-25 00:24:26,762 fail2ban.actions[3142]: INFO
[apache-mailman] 42.118.196.185 already banned
...

Let me know if the mess continues. We are under some attack at time,
also the Wiki site.

Best
Markus

--
http://consulting.neteler.org
http://gis.cri.fmach.it/neteler/
http://courses.neteler.org/blog


More information about the Sac mailing list