Abusive user creation - ideas for mitigating
Hi,
My mailman3.auth_users table contains 131 rows, of which 113 of them were created in the last week. All of these users have a 10 character long random string of lowercase letters as their chosen username. Their email addresses are all over the place.
I only noticed this was happening because an unusual number of the subscription confirmation messages were bouncing back to me as postmaster, and I saw the unlikely user names.
I matched up some of the date_joined timings with logs of HTTP POST to /mailman/accounts/signup and every single one so far was a unique IP address. So I am not going to get very far with firewalling.
Does anyone have any suggestions what I can do to avoid this? Specifically what I would like to avoid is sending a confirmation email to these potentially innocent addresses.
…
Hmm, actually I've just noticed that all of them are Tor exit nodes.
Looks like I could probably autogenerate an Apache ACL that lists all Tor exit nodes and bans them from posting to /mailman/accounts/signup.
Thanks, Andy
On Thu, Oct 31, 2024 at 03:30:09AM +0000, Andy Smith wrote:
Looks like I could probably autogenerate an Apache ACL that lists all Tor exit nodes and bans them from posting to /mailman/accounts/signup.
$ wget -qO - 'https://www.dan.me.uk/torlist/?exit' | sed 's/^/Require not ip /' | sudo tee /etc/apache2/tor-exit-list.conf >/dev/null
# Block access to the signup form from Tor exit nodes.
<Location /mailman/accounts/signup>
<RequireAll>
Require all granted
Include /etc/apache2/tor-exit-list.conf
</RequireAll>
</Location>
Haven't worked out how to restrict it to POST method only yet, and updating the list robustly is a job for tomorrow…
Thanks, Andy
On Thu, Oct 31, 2024 at 03:30:09AM +0000, Andy Smith wrote:
Looks like I could probably autogenerate an Apache ACL that lists all Tor exit nodes and bans them from posting to /mailman/accounts/signup.
$ wget -qO - 'https://www.dan.me.uk/torlist/?exit' | sed 's/^/Require not ip /' | sudo tee /etc/apache2/tor-exit-list.conf >/dev/null
# Block access to the signup form from Tor exit nodes. <Location /mailman/accounts/signup> <RequireAll> Require all granted Include /etc/apache2/tor-exit-list.conf </RequireAll> </Location>
Haven't worked out how to restrict it to POST method only yet, and updating the list robustly is a job for tomorrow…
On 10/31/24 04:59, Andy Smith wrote: thanks a lot for this. as i'm facing the same problem, i took your code, hopefully filling in the missing parts correctly:
<Location /accounts/signup>
<Limit POST PUT DELETE>
order allow,deny
allow from all
Include /var/www/tor-exit-list.conf
</Limit>
</Location>
using this script to update the list of exit-nodes:
#!/bin/sh
if [ $# -lt 1 ]; then
cat >/dev/stderr <<EOF
usage: $0 <outfile> [<outfile> ...]
e.g. $0 /var/www/tor-exit-list.conf
EOF
exit 1
fi
url='https://www.dan.me.uk/torlist/?exit'
outfile=$(mktemp)
trap 'rm -f "${outfile}"' EXIT INT TERM
curl -s -o "${outfile}" --fail "${url}" || exit 1
sed -e "s/^/deny from /" "${outfile}" | tee "$@" >/dev/null
(as i'm tracking /etc with etckeeper, i'd rather not write the data to the config-directory)
mfgdasr IOhannes
Die Inhaltsfilterung von Mailman hat die folgenden MIME-Teile aus dieser Nachricht entfernt.
Content-Type: application/pgp-keys Name: OpenPGP_0xB65019C47F7A36F8.asc
Hi,
On Mon, Nov 04, 2024 at 12:10:48PM +0100, IEM Network Operation Center (IOhannes m zmölnig) wrote:
as i'm facing the same problem, i took your code, hopefully filling in the missing parts correctly:
Just a note that I've been seeing this ramp up, with now 35 to 40 attempts being blocked per day. I would urge other operators of Mailman 3 to check they aren't also participating in this attack.
Thanks, Andy
-- https://bitfolk.com/ -- No-nonsense VPS hosting
participants (2)
-
Andy Smith
-
IEM Network Operation Center (IOhannes m zmölnig)