Yes please block Tor for now, until we have a better solution

-jake

On Sat, Dec 2, 2023, 15:10 Sean Greenslade via sudo-discuss <sudo-discuss@sudoroom.org> wrote:
On Fri, Dec 01, 2023 at 09:19:53PM -0800, Jake via sudo-discuss wrote:
> our mailing list system (postorius) is having problems... we're not sure what
> it is but it looks like some spammer is entering random addresses into the
> "join this mailing list" field and then our system is trying to email a
> confirmation to those addresses.
>
> Anyone want to log in and take a look at it, try to figure out what's going
> on, and figure out a way to fix it?  We might need to add a CAPTCHA or at
> least a checkbox or some sort of puzzle so that people can't just
> automatically enter email addresses in and have us email them.

I've been doing a bit of investigation on this. It appears that the
spammer is using Tor to make the subscription requests. I see 68
hits to the web interface subscription endpoint within the past day, and
reverse lookups reveal:

> sortie-tor.a-n-o-n-y-m-e.net.
> LuxembourgTorNew4.Quetzalcoatl-relays.org.
> exit-node1.tor-for-privacy.com.
> tor-exit-anonymizer.appliedprivacy.net.
> tor-exit-anonymizer.appliedprivacy.net.
> tor-exit-anonymizer.appliedprivacy.net.
> tor-exit-anonymizer.appliedprivacy.net.
> vps-b79172cc.vps.ovh.net.
> tor-exit-router-xp67.quido.org.
> fixecalendar.net.
> tor.d-ku.de.
> tor-exit.mci.august.is.
> tor.node15.shadowbrokers.eu.
> tor-exit-14.zbau.f3netze.de.
> tor-exit-16.zbau.f3netze.de.
> tor-exit-5.zbau.f3netze.de.
> tor-exit-6.zbau.f3netze.de.
> tor-exit-11.zbau.f3netze.de.
> tor-exit-12.zbau.f3netze.de.
> berlin01.tor-exit.artikel10.org.
> berlin01.tor-exit.artikel10.org.
> tor-exit-134.relayon.org.
> tor-exit-136.relayon.org.
> berlin01.tor-exit.artikel10.org.
> berlin01.tor-exit.artikel10.org.
> tor-exit-72.cccs.de.
> tor-exit-80.cccs.de.
> tor-exit-81.cccs.de.
> tor-exit-82.cccs.de.
> 185-220-102-242.torservers.net.
> tor-exit-relay-2.anonymizing-proxy.digitalcourage.de.
> tor-exit-relay-8.anonymizing-proxy.digitalcourage.de.
> 185-220-102-8.torservers.net.
> vmi1262847.contaboserver.net.
> sortie-tor.a-n-o-n-y-m-e.net.
> tor-exit1-terrahost08.tuxli.org.
> tor-exit-info.middelstaedt.com.
> dedicated.sollutium.com.
> onion.xor.sc.
> 22.tor-exit.nothingtohide.nl.
> 26.tor-exit.nothingtohide.nl.
> 30.tor-exit.nothingtohide.nl.
> 33.tor-exit.nothingtohide.nl.
> 34.tor-exit.nothingtohide.nl.
> 7.tor-exit.nothingtohide.nl.
> 12.tor-exit.nothingtohide.nl.
> 15.tor-exit.nothingtohide.nl.
> 07.rkv.exit.tor.loki.tel.
> tor.exit.1.newyork.shimadate.com.
> tor33.quintex.com.
> tor59.quintex.com.
> tor76.quintex.com.
> mail.waytoslowmanagement.de.
> tor-exit-router.quido.org.
> exitor.zof.sh.
> nosoignons.cust.milkywan.net.
> this-is-a-tor-node---9.artikel5ev.de.
> tor.node14.shadowbrokers.eu.

My knee-jerk reaction would be to block Tor from our mailing list web
interface, but I'd want to put that suggestion to the community first.
Note that users are able to subscribe to mailing lists by direct email
without using the web interface, so if users wish to maintain anonymity,
they still have a path.

--Sean

_______________________________________________
sudo-discuss mailing list -- sudo-discuss@sudoroom.org
To unsubscribe send an email to sudo-discuss-leave@sudoroom.org
More options at https://sudoroom.org/lists/postorius/lists/sudo-discuss.sudoroom.org/