massive list subscription bombs (was Possible spam?)

[edmonds @ cs . ubc . ca (Brian Edmonds)]

I'm copying this up to nana.email, as it appears to be a concerted
attack via email, rather than an isolated incident.  As I discuss below,
it may also related to news, but seems primarily a mail problem.

Chuq Von Rospach <chuqui@plaidworks.com> writes:
> Oh, yeah. There's a lot of spam going down, and a lot of users,
> including many AOL users, being forged onto list.

For the past week I've been noticing a sharp increase in zubscribe
activity on my lists, including a number of people zubscribing to an
unusual spectrum of lists.  Most of the latter I've manually removed
proactively.

This attack has been somewhat unusual in that the lists that are being
attacked are not the digest lists, which the server advertises, but the
regular versions.  These are widely advertised in the PAML and such, but
most obvious attacks I've dealt with before this have been vectored via
the server's lists command, and thus the digests.

> I'm still looking for a clean way to put a procmail filter in front of
> my server and trap this until I can get majordomo up and upgrade all
> my stuff.

Sorry, can't help with the procmail, but I highly recommend majordomo
1.94 (and up).  Last night I finally got tired of all the people who
were obviously being indirectly mailbombed through my lists, bit the
bullet, and upgraded my majordomo from 1.93 to 1.94.1.  Presto chango,
no more wild subscription sprees.

I did get one interesting bounce of a confirm message today from a bad
address someone tried to subscribe.  It was one of those .REMOVE
anti-spam doctored addresses a number of people use for news postings.
This leads me to believe someone is either randomly harvesting people to
attack from news postings, or is running an active campaign against the
posters on particular news groups.

Brian.