Ongoing attack on Mailman mailing lists?
I have been receiving confirmation messages for subscription requests from Mailman-based mailing lists at a variety of domains, mostly academic. Some of these lists aren't even public, according to the Mailman web interface at the corresponding domains, which makes me wonder how the attacker is finding them. The vast majority of these malicious subscription requests are coming from 91.90.120.173. Is anyone else getting confirmation emails like these? Are any Mailman list administrators here seeing this attack?
That IP is in a subnet with many entries in the firehol [1] ip blocklist. That is a known spammer network. Spammers use data from search engines, chat rooms, irc logs and shodan [2] to find sites. There are many other sources. Has anyone ever mentioned your private mailing list URL's on a chat server?
Specifically:
grep -c "^91.90.120." * 2>/dev/null|grep -v ":0"
firehol_abusers_30d.netset:6
stopforumspam.ipset:6
stopforumspam_180d.ipset:15
stopforumspam_30d.ipset:3
stopforumspam_365d.ipset:26
stopforumspam_7d.ipset:2
stopforumspam_90d.ipset:6
tor_exits_30d.ipset:1
[Revised after a git update][1] - https://github.com/firehol/blocklist-ipsets.git
[2] - https://www.shodan.io/
I've got about 250 of those "confim" emails on the address I use here, in the past couple days. That IP address and a couple others I've noticed, but most from that one. Its an open squid proxy in Greenland from a quick sniff.