I've observed this as well, in two incidents over the past 60 hours.

I do not recommend captchas (for this or anything else) because they
were thoroughly defeated ~15 years ago.  I recommend firewall rules:
there is no reason in the world to continue to allow access by people,
systems, or networks who have been the source of abuse/attacks.

With that in mind, I strongly recomend blocking all network traffic --
and I do mean "all", not just HTTP/S, from these allocations (1 of 3):

        80.71.154.0/24  US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        80.71.159.0/24  US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        91.198.230.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
        91.199.3.0/24   US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        91.229.104.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        91.229.105.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        91.231.142.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
        91.231.143.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
        91.240.71.0/24  US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        92.119.229.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        188.119.114.0/23        US-AQUANETWORKS-20200310/AquaNetworksHKLimited
        193.33.66.0/24  US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        193.37.133.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        193.109.221.0/24        US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        193.135.13.0/25 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
        193.135.13.128/25       US-AQUANETWORKS-20200310/AquaNetworksHKLimited
        193.176.237.0/24        US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        193.193.164.0/24        US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        194.56.255.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        194.105.158.0/24        US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        194.105.159.0/24        US-AQUANETWORKS-20200313/AquaNetworksHKLimited
        194.107.125.0/24        US-AQUANETWORKS-20200313/AquaNetworksHKLimited

I haven't had time to even try to figure out who/what this is, but I haven't
seen them before, and now that I *have* seen them, and observed that 100% of
the traffic received from them has been malicious, I see no reason to allow
them any access to anything ever.

I recommend blocking at least HTTP/S from these allocations and maybe
all traffic as well (2 of 3):

        31.58.169.0/24  HOSTING-SOLUTIONS/IPXO-MNT
        45.33.240.0/20  YS-02
        64.187.232.0/21 QP-CHI/QuickPacketLLC
        83.147.52.0/22  CLOUVIDER-NYC1/VirtuoHoldingsInc/IPXO-MNT
        91.223.133.0/24 PL-IPSERVICES11/IPSERVICESSP
        91.239.187.0/24 Omniline-net/OmnilineInvestmentSRO
        93.157.24.0/21  POISK-UA-NET/Poisk-Lugansk
        103.207.116.0/22        HVTCL-HK
        104.153.80.0/22 QP-IPV4-16/QuickPacketLLC
        107.178.128.0/18        GC-03/GCHAOLLC
        111.92.184.0/22 CMTL-HK/COASTMARTTRADINGLIMITED
        162.244.132.0/22        QP-CHI/QuickPacketLLC
        170.81.196.0/22 UdashaSA
        170.231.248.0/22        MY-TECSA
        170.244.94.0/23 WeblineServicesBroadband
        185.118.79.0/24 WEHOST-NET/WEHOSTLLC
        185.235.142.0/24        EE-EUROLIR2-20210129/EurolirOU
        191.102.128.0/23        CorporateNetwork
        191.102.132.0/23        NathanWright
        195.140.176.0/22        NL-DEMENIN
        202.9.60.0/22   WEIYU-HK/WeiyuTechnologyCoLimited
        204.217.128.0/17        NET-204-217-128-0-1/AventiceLLC
        206.162.240.0/20        ARPNET-4/ARPNETWORKSINC/IPXO
        206.162.248.0/21        
ARPNETWORKSINC/IPXOLLC/NETUTILS/InternetUtilitiesNALLC
        206.232.0.0/17  AVENTICE-CGNT-NET-1/AventiceLLC
        216.177.132.0/22                IPXOLLC/NETUTILS/InternetUtilitiesNALLC

I recommend blocking all network traffic from these allocations (3 of 3):

        2.58.56.0/24    1337ServicesGmbH/DE-1337SERVICES-20190321/rdp.sh
        45.80.158.0/24  LEET-45-80-158-0/1337ServicesGmbH
        124.198.132.0/24        LEET-124-198-132-0/1337ServicesGmbH
        192.99.159.16/28        OVH-CUST-243739335/1337ServicesGmbH

I don't know who/what this is either, but "leet" and "1337" are dubious,
at best.  And given their participation in these attacks against Mailman,
I see no reason to continue extending them access privileges.


In all three cases, the text descriptions are excerpts from "whois" lookups.
Obviously some of them are informative, some aren't.  I chose them in order
to tickle my own memory when I see them again, e.g., I recognize both "IPXO"
and "Virtuo" and not for positive reasons.  I don't recognize QuickPacket
or Aventice -- but I will in the future.


I also recommend using Mark Sapiro's excellent "list_pending" and "erase"
scripts, found here:

        Various Python Scripts
        https://www.msapiro.net/scripts/

The former script may be used to enumerate pending subscriptions; the latter
may be used to cause all of those to go away.

---rsk
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

Reply via email to