I've observed this as well, in two incidents over the past 60 hours.
I do not recommend captchas (for this or anything else) because they
were thoroughly defeated ~15 years ago. I recommend firewall rules:
there is no reason in the world to continue to allow access by people,
systems, or networks who have been the source of abuse/attacks.
With that in mind, I strongly recomend blocking all network traffic --
and I do mean "all", not just HTTP/S, from these allocations (1 of 3):
80.71.154.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
80.71.159.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
91.198.230.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
91.199.3.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
91.229.104.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
91.229.105.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
91.231.142.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
91.231.143.0/24 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
91.240.71.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
92.119.229.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
188.119.114.0/23 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
193.33.66.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
193.37.133.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
193.109.221.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
193.135.13.0/25 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
193.135.13.128/25 US-AQUANETWORKS-20200310/AquaNetworksHKLimited
193.176.237.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
193.193.164.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
194.56.255.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
194.105.158.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
194.105.159.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
194.107.125.0/24 US-AQUANETWORKS-20200313/AquaNetworksHKLimited
I haven't had time to even try to figure out who/what this is, but I haven't
seen them before, and now that I *have* seen them, and observed that 100% of
the traffic received from them has been malicious, I see no reason to allow
them any access to anything ever.
I recommend blocking at least HTTP/S from these allocations and maybe
all traffic as well (2 of 3):
31.58.169.0/24 HOSTING-SOLUTIONS/IPXO-MNT
45.33.240.0/20 YS-02
64.187.232.0/21 QP-CHI/QuickPacketLLC
83.147.52.0/22 CLOUVIDER-NYC1/VirtuoHoldingsInc/IPXO-MNT
91.223.133.0/24 PL-IPSERVICES11/IPSERVICESSP
91.239.187.0/24 Omniline-net/OmnilineInvestmentSRO
93.157.24.0/21 POISK-UA-NET/Poisk-Lugansk
103.207.116.0/22 HVTCL-HK
104.153.80.0/22 QP-IPV4-16/QuickPacketLLC
107.178.128.0/18 GC-03/GCHAOLLC
111.92.184.0/22 CMTL-HK/COASTMARTTRADINGLIMITED
162.244.132.0/22 QP-CHI/QuickPacketLLC
170.81.196.0/22 UdashaSA
170.231.248.0/22 MY-TECSA
170.244.94.0/23 WeblineServicesBroadband
185.118.79.0/24 WEHOST-NET/WEHOSTLLC
185.235.142.0/24 EE-EUROLIR2-20210129/EurolirOU
191.102.128.0/23 CorporateNetwork
191.102.132.0/23 NathanWright
195.140.176.0/22 NL-DEMENIN
202.9.60.0/22 WEIYU-HK/WeiyuTechnologyCoLimited
204.217.128.0/17 NET-204-217-128-0-1/AventiceLLC
206.162.240.0/20 ARPNET-4/ARPNETWORKSINC/IPXO
206.162.248.0/21
ARPNETWORKSINC/IPXOLLC/NETUTILS/InternetUtilitiesNALLC
206.232.0.0/17 AVENTICE-CGNT-NET-1/AventiceLLC
216.177.132.0/22 IPXOLLC/NETUTILS/InternetUtilitiesNALLC
I recommend blocking all network traffic from these allocations (3 of 3):
2.58.56.0/24 1337ServicesGmbH/DE-1337SERVICES-20190321/rdp.sh
45.80.158.0/24 LEET-45-80-158-0/1337ServicesGmbH
124.198.132.0/24 LEET-124-198-132-0/1337ServicesGmbH
192.99.159.16/28 OVH-CUST-243739335/1337ServicesGmbH
I don't know who/what this is either, but "leet" and "1337" are dubious,
at best. And given their participation in these attacks against Mailman,
I see no reason to continue extending them access privileges.
In all three cases, the text descriptions are excerpts from "whois" lookups.
Obviously some of them are informative, some aren't. I chose them in order
to tickle my own memory when I see them again, e.g., I recognize both "IPXO"
and "Virtuo" and not for positive reasons. I don't recognize QuickPacket
or Aventice -- but I will in the future.
I also recommend using Mark Sapiro's excellent "list_pending" and "erase"
scripts, found here:
Various Python Scripts
https://www.msapiro.net/scripts/
The former script may be used to enumerate pending subscriptions; the latter
may be used to cause all of those to go away.
---rsk
------------------------------------------------------
Mailman-Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/[email protected]/
https://mail.python.org/archives/list/[email protected]/
Member address: [email protected]
