Bugs item #914249, was opened at 2004-03-11 11:28 Message generated for change (Comment added) made by sekhar-cu You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=914249&group_id=103 Category: security/privacy Group: 2.1 (stable) Status: Open Resolution: None Priority: 5 Submitted By: Ted Peterson (knighted) Assigned to: Nobody/Anonymous (nobody) Summary: Virus posts to moderated lists Initial Comment: The W32.Beagle virus has been able to post multiple times to a moderated Mailman 2.1.3 mailing list, so emergency moderation of the list has been enabled. At least two other people, as reported on mailman-users, have had this trouble since last Friday, March 5th, when W32.Beagle was spreading. The virus was posting using a moderator address, so that moderator was removed. The moderator bit is and was turned on for all users, including the now *sole* moderator. I can send the mbox archive headers to anybody who is interested. Mail: ted <at> ire.org --Ted ---------------------------------------------------------------------- Comment By: Sekhar Ramakrishnan (sekhar-cu) Date: 2004-03-19 11:12 Message: Logged In: YES user_id=1001877 I don't know if this is the same bug, but a Mailman 2.1.3 members-only list that I administer had two messages that got through, one from staff@<listdomain> and the other from management@<listdomain>. Other messages at the same time from official-sounding id's on our domain got held up as being from nonmembers. Sekhar ---------------------------------------------------------------------- Comment By: NancyS (nes49) Date: 2004-03-11 15:01 Message: Logged In: YES user_id=995718 As one of the other people reporting the problem, let me add a bit of info on our experience. Mailman 2.1.1 My hypothesis now is that one of the people who could post without moderation released the virus. [I haven't been able to get definitive confirmation of that, but coupling "we were having some trouble" with a match on the ISP domain name leads me to that guess.] I haven't been able to tie the messages to a specific address subscribed to the list, but would be glad to probe further if given some direction. We haven't seen any additional occurrences since turning on moderation for all users. Between the first and second attack, I changed the passwords for the affected lists thinking that an Approved: header might have been used, but there's no evidence that was the case. -Nancy mailman <at> sgtst.com ---------------------------------------------------------------------- Comment By: Caleb Epstein (cepstein) Date: 2004-03-11 14:36 Message: Logged In: YES user_id=36183 The virus is making it through to the lists by using an "envelope-from" (I believe that is the right term) of a valid, subscribed list member, but a From: header which is some address that does not exist and is not a member of the list (usually admin@ or management@ the mailing list's domain). See for example the message at http://bklyn. org/~cae/mailman-stumper.txt This message appears first in the MTA's logs as: 2004-03-11 16:31:44 1B1T5z-0009zY-00 <= SUBSCRIBER@DOMAIN.COM H=(srr2) [192.168.100.17] P=smtp S=17730 id=pbecvykwgcgqjemyxjx@Etree.org from <SUBSCRIBER@DOMAIN.COM> for Announce@etree.org where SUBSCRIBER@DOMAIN.COM is a valid list subscriber with posting privileges. ---------------------------------------------------------------------- Comment By: NancyS (nes49) Date: 2004-03-11 14:15 Message: Logged In: YES user_id=995718 As one of the other people reporting the problem, let me add a bit of info on our experience. Mailman 2.1.1 My hypothesis now is that one of the people who could post without moderation released the virus. [I haven't been able to get definitive confirmation of that, but coupling "we were having some trouble" with a match on the ISP domain name leads me to that guess.] I haven't been able to tie the messages to a specific address subscribed to the list, but would be glad to probe further if given some direction. We haven't seen any additional occurrences since turning on moderation for all users. Between the first and second attack, I changed the passwords for the affected lists thinking that an Approved: header might have been used, but there's no evidence that was the case. -Nancy mailman <at> sgtst.com ---------------------------------------------------------------------- Comment By: dk (karres) Date: 2004-03-11 12:28 Message: Logged In: YES user_id=995621 ... sorry, hit the submit button too soon... THe nom-member messages that get past the non-member filter are being caught by the forced moderation so the messages are not getting to the list itself. It does make us nervous though. ---------------------------------------------------------------------- Comment By: dk (karres) Date: 2004-03-11 12:20 Message: Logged In: YES user_id=995621 More generally we have only moderated, read-only lists for our users. All incoming, non-member messages should be discarded. We are seeing a few virus laden messages from obvious non-members getting past the non-member filters. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=914249&group_id=103