[sudo-sys] Possible reflection attack (Fwd: Uncaught bounce notification)
yar
yardenack at gmail.com
Thu Sep 17 14:27:58 PDT 2015
We've gotten hundreds of these in the past few days. Seems like a
possible reflection attack where a third party tries to subscribe a
bunch of peoples' SMS numbers to flood them with confirm emails. I
think I solved this by blocking {sms,txt}.att.net addresses from
joining all our lists, like this:
$ cat ~/setbanlist
mlist.ban_list.extend(['^.*@txt.att.net$', '^.*@mms.att.net$'])
$ for list in $(cd /var/lib/mailman/lists/; ls -1 .); do sudo -u list
/usr/lib/mailman/bin/config_list -i ~/setbanlist $list; done
---------- Forwarded message ----------
From: <mailman-bounces at lists.sudoroom.org>
Date: Thu, Sep 17, 2015 at 2:05 PM
Subject: Uncaught bounce notification
To: kopimism-owner at lists.sudoroom.org
The attached message was received as a bounce, but either the bounce
format was not recognized, or no member addresses could be extracted
from it. This mailing list has been configured to send all
unrecognized bounce messages to the list administrator(s).
For more information see:
https://sudoroom.org/lists/admin/kopimism/bounce
---------- Forwarded message ----------
From: postmaster at txt.att.net
To: kopimism-bounces at lists.sudoroom.org
Cc:
Date: Thu, 17 Sep 2015 17:05:17 -0400
Subject: Unable to deliver message.
This Message was undeliverable due to the following reason: the
subscriber has restricted e-mail to <2524063603 at mms.att.net> Please
reply to <Postmaster at txt.att.com> if you feel this message to be in
error.
---------- Forwarded message ----------
From:
To:
Cc:
Date:
Subject:
X-Cloudmark-Analysis: v=2.1 cv=COG5A3bD c=1 sm=1 tr=0
a=ZBztKQGkLF0/oa+oqHGvRQ==:117 a=ZBztKQGkLF0/oa+oqHGvRQ==:17 a=yQttzFEoAAAA:8
a=IkcTkHD0fZMA:10 a=ff-B7xzCdYMA:10 a=HZJGGiqLAAAA:8 a=NAi6eCUdRxSACJAc2A8A:9
a=QEXdDO2ut3YA:10 a=2tg8LeLMCKAA:10
Reply-To: <kopimism-request at lists.sudoroom.org>
Received: from sudoroom.org (localhost [127.0.0.1])
by sudoroom.org (sudoroom.org) with ESMTP id 6EB4BC51E7
for <2524063603 at mms.att.net>; Thu, 17 Sep 2015 14:05:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.sudoroom.org;
s=2015lsrmail; t=1442523916;
bh=V2CU0/Ow2AtF5wCp2S9Jg0/gHMqbPCpWkyjVxvZy0os=;
h=From:To:Subject:Reply-To:Date:List-Id:From;
b=UKDnKUqf8MbDX3hjti0F5VW3smcEgTP6ufYi8NmY/S/BLTdtZYnVF81KOLlwAmITS
MF+1re2vjeOCSEqsZMV/IbRcTyGl6aZWrooT4+YFd4xV1bqLBkxMM7/qGFkbPTQOAO
Mg5g3/jeHHuORnA8mpbYeOK1FZL8jbLRdUEVBEHU=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
From: kopimism-request at lists.sudoroom.org
To: 2524063603 at mms.att.net
Subject: confirm cd7f76f284b5301e946d2f49092129c1fc028ad5
Reply-To: kopimism-request at lists.sudoroom.org
Auto-Submitted: auto-generated
Message-ID: <mailman.0.1442523915.18507.kopimism at lists.sudoroom.org>
Date: Thu, 17 Sep 2015 14:05:15 -0700
Precedence: bulk
X-BeenThere: kopimism at lists.sudoroom.org
X-Mailman-Version: 2.1.18
List-Id: All information should be freely distributed and unrestricted
<kopimism.lists.sudoroom.org>
X-List-Administrivia: yes
Errors-To: kopimism-bounces at lists.sudoroom.org
Sender: "Kopimism" <kopimism-bounces at lists.sudoroom.org>
More information about the sudo-sys
mailing list