[SAC] Fwd: [support.osuosl.org #25425] Fwd: Spam complaint from UOL [1MY7c3U8E51rj2r06Bu]

Alex M tech_dev at wildintellect.com
Thu Mar 17 11:17:30 PDT 2016 

Can someone handle this on the mailman configuration. Sounds like it can
reduce a lot of the bot subscription requests. I can put this info in a
ticket it needed.

Thanks,
Alex


-------- Forwarded Message --------
Subject: [support.osuosl.org #25425] Fwd: Spam complaint from UOL
[1MY7c3U8E51rj2r06Bu]
Date: Thu, 17 Mar 2016 11:14:54 -0700
From: Justin Dugger via RT <support at osuosl.org>
Reply-To: support at osuosl.org
CC: tech at wildintellect.com

OSGEO,

Attached below is one of many reports we've gotten regarding mailman
subscriptions. It's come to my attention that these are not misfiled,
but part of a systemic harrassment tool[1] that floods target inboxes.
The key feature these tools rely on is sending email with a destination
specified in an HTTP GET parameter, without form validation.

Mailman 2.1.16 added in an XSRF token config settting called
SUBSCRIBE_FORM_SECRET, but is disabled by default. It does not appear
lists.osgeo.org has this set, and as a result, jquery get requests can
send subscription requests ad nausem to targets. You can easily verify
this yourself by reviewing HTTP logs containing /mailman/subscribe, and
examining the referrer URLs. Once the setting is deployed, I have found
msapiro's list_pending script[2] useful for tracking the number of
subscriptions pending.

Please review your mailman settings and define a SUBSCRIBE_FORM_SECRET
string in mm_cfg.py, to prevent malicious and unsolicited subscription
requests.

-- 
Justin Dugger
Senior System Administrator
OSU Open Source Lab


[1]: several examples:
https://www.google.com/?gws_rd=ssl#q=%22Auto+Suscribe+Email%22
[2]: https://www.msapiro.net/scripts/list_pending

On Tue Aug 04 12:53:57 2015, dsu at nero.net wrote:
> 
> Attached are spam complaints regarding host(s) you are responsible
> for.
> Please investigate and follow up to abuse at nero.net
> and the original complainant (if requested in the attached email) once
> you have taken appropriate actions.
> 
> -------- Forwarded Message --------
> Subject: 	Spam complaint from UOL [1MY7c3U8E51rj2r06Bu]
> Date: 	Tue, 4 Aug 2015 06:46:02 -0700
> From: 	abuse-auto at support.juno.com
> To: 	abuse at nero.net
> 
> This is an email abuse report for an email message received from IP
> 140.211.15.134 on 3 Aug 2015



-------------- next part --------------
A non-text attachment was scrubbed...
Name: Attached Message Part
Type: application/octet-stream
Size: 121 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20160317/ae4e489a/attachment.obj>

More information about the Sac mailing list