Opened 6 months ago

Last modified 6 months ago

#34256 new defect

jerks using our mailman to spam people

Reported by: arma Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There are repeated patterns, and repeated complaints especially lately, of jerks signing up "victim" addresses to dozens of mailing lists. In our case, the victims don't actually end up on the list, because they don't confirm the subscription. But they get dozens of "reply to confirm!" mails, which causes stress and confusion and anger.

/var/log/mailman/subscribe on eugeni is where the interesting info is.

You can see clear patterns of some jerk trying to subscribe target addresses to a half dozen Tor lists at once. It happens again and again and again.

Each request comes from a different address around the internet. It looks like a standard botnet. I hear from the victims that they're being subscribed to other non-Tor lists too, so we are just one piece of the mess.

One distinguishing pattern seems to be that their subscribe attempts come with a random two word name before the email address. "Who does that?"

We've handled (responded to) almost 55000 subscription attempts in May
so far, and I'd wager that 90+% of them are malicious.

I imagine the primary goal is to harm the victims, but there is secondary harm, where eugeni ends up in more blacklists. And also many people have their first introduction to Tor being this abuse.

Maybe we can hack mailman to discard attempts that include a two-word name? Is there some way to moderate the subscription attempts? Do we even want that? Maybe we should disable email subscription interactions with mailman entirely?

Child Tickets

Change History (1)

comment:1 in reply to:  description Changed 6 months ago by anarcat

Replying to arma:

Maybe we can hack mailman to discard attempts that include a two-word name?

That could be difficult, but I've patched Mailman before. it might be doable. Not sure if it would work, and might catch a lot of false-positives...

Is there some way to moderate the subscription attempts?

There is. I'm not sure if it happens before or after the email confirmation however. But there's definitely a way to make list moderators approve new members.

Do we even want that?

That would possibly be a huge pain in the back for moderators.

Maybe we should disable email subscription interactions with mailman entirely?

That might be more reasonable... but then again, if those attempts come by email, from a botnet, why aren't we blocking *those* emails instead? seems to me they should be on some block list already?

maybe we could check if they are on spamhaus or some list eventually...

i wonder if upgrading to mailman 3 could fix this problem... we'll have to do it eventually anyways because of the death of python 2 (#33949).

Note: See TracTickets for help on using tickets.