I've observed this as well, in two incidents over the past 60 hours.
I do not recommend captchas (for this or anything else) because they were thoroughly defeated ~15 years ago. I recommend firewall rules: there is no reason in the world to continue to allow access by people, systems, or networks who have been the source of abuse/attacks. With that in mind, I strongly recomend blocking all network traffic -- and I do mean "all", not just HTTP/S, from these allocations (1 of 3): 80.71.154.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 80.71.159.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 91.198.230.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited 91.199.3.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 91.229.104.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 91.229.105.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 91.231.142.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited 91.231.143.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited 91.240.71.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 92.119.229.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 188.119.114.0/23 US-AQUANETWORKS-20200310/AquaNetworksHKLimited 193.33.66.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 193.37.133.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 193.109.221.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 193.135.13.0/25 US-AQUANETWORKS-20200310/AquaNetworksHKLimited 193.135.13.128/25 US-AQUANETWORKS-20200310/AquaNetworksHKLimited 193.176.237.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 193.193.164.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 194.56.255.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 194.105.158.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 194.105.159.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited 194.107.125.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited I haven't had time to even try to figure out who/what this is, but I haven't seen them before, and now that I *have* seen them, and observed that 100% of the traffic received from them has been malicious, I see no reason to allow them any access to anything ever. I recommend blocking at least HTTP/S from these allocations and maybe all traffic as well (2 of 3): 31.58.169.0/24 HOSTING-SOLUTIONS/IPXO-MNT 45.33.240.0/20 YS-02 64.187.232.0/21 QP-CHI/QuickPacketLLC 83.147.52.0/22 CLOUVIDER-NYC1/VirtuoHoldingsInc/IPXO-MNT 91.223.133.0/24 PL-IPSERVICES11/IPSERVICESSP 91.239.187.0/24 Omniline-net/OmnilineInvestmentSRO 93.157.24.0/21 POISK-UA-NET/Poisk-Lugansk 103.207.116.0/22 HVTCL-HK 104.153.80.0/22 QP-IPV4-16/QuickPacketLLC 107.178.128.0/18 GC-03/GCHAOLLC 111.92.184.0/22 CMTL-HK/COASTMARTTRADINGLIMITED 162.244.132.0/22 QP-CHI/QuickPacketLLC 170.81.196.0/22 UdashaSA 170.231.248.0/22 MY-TECSA 170.244.94.0/23 WeblineServicesBroadband 185.118.79.0/24 WEHOST-NET/WEHOSTLLC 185.235.142.0/24 EE-EUROLIR2-20210129/EurolirOU 191.102.128.0/23 CorporateNetwork 191.102.132.0/23 NathanWright 195.140.176.0/22 NL-DEMENIN 202.9.60.0/22 WEIYU-HK/WeiyuTechnologyCoLimited 204.217.128.0/17 NET-204-217-128-0-1/AventiceLLC 206.162.240.0/20 ARPNET-4/ARPNETWORKSINC/IPXO 206.162.248.0/21 ARPNETWORKSINC/IPXOLLC/NETUTILS/InternetUtilitiesNALLC 206.232.0.0/17 AVENTICE-CGNT-NET-1/AventiceLLC 216.177.132.0/22 IPXOLLC/NETUTILS/InternetUtilitiesNALLC I recommend blocking all network traffic from these allocations (3 of 3): 2.58.56.0/24 1337ServicesGmbH/DE-1337SERVICES-20190321/rdp.sh 45.80.158.0/24 LEET-45-80-158-0/1337ServicesGmbH 124.198.132.0/24 LEET-124-198-132-0/1337ServicesGmbH 192.99.159.16/28 OVH-CUST-243739335/1337ServicesGmbH I don't know who/what this is either, but "leet" and "1337" are dubious, at best. And given their participation in these attacks against Mailman, I see no reason to continue extending them access privileges. In all three cases, the text descriptions are excerpts from "whois" lookups. Obviously some of them are informative, some aren't. I chose them in order to tickle my own memory when I see them again, e.g., I recognize both "IPXO" and "Virtuo" and not for positive reasons. I don't recognize QuickPacket or Aventice -- but I will in the future. I also recommend using Mark Sapiro's excellent "list_pending" and "erase" scripts, found here: Various Python Scripts https://www.msapiro.net/scripts/ The former script may be used to enumerate pending subscriptions; the latter may be used to cause all of those to go away. ---rsk ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@jab.org