On Fri, Dec 01, 2023 at 09:19:53PM -0800, Jake via sudo-discuss wrote:
our mailing list system (postorius) is having
problems... we're not sure what
it is but it looks like some spammer is entering random addresses into the
"join this mailing list" field and then our system is trying to email a
confirmation to those addresses.
Anyone want to log in and take a look at it, try to figure out what's going
on, and figure out a way to fix it? We might need to add a CAPTCHA or at
least a checkbox or some sort of puzzle so that people can't just
automatically enter email addresses in and have us email them.
I've been doing a bit of investigation on this. It appears that the
spammer is using Tor to make the subscription requests. I see 68
hits to the web interface subscription endpoint within the past day, and
reverse lookups reveal:
sortie-tor.a-n-o-n-y-m-e.net.
LuxembourgTorNew4.Quetzalcoatl-relays.org.
exit-node1.tor-for-privacy.com.
tor-exit-anonymizer.appliedprivacy.net.
tor-exit-anonymizer.appliedprivacy.net.
tor-exit-anonymizer.appliedprivacy.net.
tor-exit-anonymizer.appliedprivacy.net.
vps-b79172cc.vps.ovh.net.
tor-exit-router-xp67.quido.org.
fixecalendar.net.
tor.d-ku.de.
tor-exit.mci.august.is.
tor.node15.shadowbrokers.eu.
tor-exit-14.zbau.f3netze.de.
tor-exit-16.zbau.f3netze.de.
tor-exit-5.zbau.f3netze.de.
tor-exit-6.zbau.f3netze.de.
tor-exit-11.zbau.f3netze.de.
tor-exit-12.zbau.f3netze.de.
berlin01.tor-exit.artikel10.org.
berlin01.tor-exit.artikel10.org.
tor-exit-134.relayon.org.
tor-exit-136.relayon.org.
berlin01.tor-exit.artikel10.org.
berlin01.tor-exit.artikel10.org.
tor-exit-72.cccs.de.
tor-exit-80.cccs.de.
tor-exit-81.cccs.de.
tor-exit-82.cccs.de.
185-220-102-242.torservers.net.
tor-exit-relay-2.anonymizing-proxy.digitalcourage.de.
tor-exit-relay-8.anonymizing-proxy.digitalcourage.de.
185-220-102-8.torservers.net.
vmi1262847.contaboserver.net.
sortie-tor.a-n-o-n-y-m-e.net.
tor-exit1-terrahost08.tuxli.org.
tor-exit-info.middelstaedt.com.
dedicated.sollutium.com.
onion.xor.sc.
22.tor-exit.nothingtohide.nl.
26.tor-exit.nothingtohide.nl.
30.tor-exit.nothingtohide.nl.
33.tor-exit.nothingtohide.nl.
34.tor-exit.nothingtohide.nl.
7.tor-exit.nothingtohide.nl.
12.tor-exit.nothingtohide.nl.
15.tor-exit.nothingtohide.nl.
07.rkv.exit.tor.loki.tel.
tor.exit.1.newyork.shimadate.com.
tor33.quintex.com.
tor59.quintex.com.
tor76.quintex.com.
mail.waytoslowmanagement.de.
tor-exit-router.quido.org.
exitor.zof.sh.
nosoignons.cust.milkywan.net.
this-is-a-tor-node---9.artikel5ev.de.
tor.node14.shadowbrokers.eu.
My knee-jerk reaction would be to block Tor from our mailing list web
interface, but I'd want to put that suggestion to the community first.
Note that users are able to subscribe to mailing lists by direct email
without using the web interface, so if users wish to maintain anonymity,
they still have a path.
--Sean