1

I have recently started getting a lot of POST requests to my mailman subscription page at /mailman//subscribe/example-info_example.co.uk and the server HTTP log shows:

204.52.107.22 - - [06/Jan/2021:04:07:39 +0000] "POST /mailman//subscribe/example-info_example.co.uk HTTP/1.1" 200 1334 "-" "axios/0.19.2"

An email is then sent to an email address not on the mailman mailing lists subscriber list.

The mailing list is configure to reject emails coming from any email address other than the list administrator.

Therefore I would like to know what is being sent in these requests. Is there a command or script I could run to get the contents of these POST requests?

Ross Hodgman
  • 31
  • 1
  • 2
  • Usually POST data is not logged. If you have access to the apache configuration you might want to check https://stackoverflow.com/questions/989967/best-way-to-log-post-data-in-apache – Dobromir Velev Jan 13 '21 at 14:39

1 Answers1

1

These are known subscribe bots, they subscribe a pile of innocent users to hundreds of lists. I literally have over 10K ips I've collected and blocked over the past year. A couple things you can do is block based on client string or upgrade your mailman install to a newer version that forces formdata to originate from the subscription page and not directly access the formaction. Also I advocate looking up the abuse email from the network they are coming from and emailing a complaint with some log excerpts. So far it hasn't done me any good but most of these attacks are coming from hosting facilities, I even had a few from Amazon. If enough people complain maybe these hosting providers will shut down this activity.

user629780
  • 11
  • 1