Mailman Subscription Spam

In the last few weeks, a few of us running mailman have been noticing attacks using our servers. Most often we end up being used as relays to send subscription spam to the servers. They pick one address and use multiple aliases of the address to send spam to. I won’t get into the details of the attack, but here’s a script that I came up with and is now modified to be friendly thanks to OpenStack Infra Team.

Create the file /usr/lib/mailman/bin/ with this content:

def ban(m, address):     try:         m.Lock()         if address not in m.ban_list:             m.ban_list.append(address)         m.Save()     finally:         m.Unlock() 

Now run this script like this

sudo /usr/lib/mailman/bin/withlist -a -r ban "<address to ban>" 

The ban address can be a regular expressions, so to ban an address and all suffixes, use ^address.* as the address to ban.

Update: Matthew Saltzman pointed out that the . in .com needs to be escaped as well.






Leave a Reply