my mailman has been hacked !!
HELP!!
one of my lists has been hacked.. all members are moderated, except my own email address (my@email.com) which I use to post to the list ..
someone sent from my address to the list and all my subscribers has recieved a damn virus as an attachment!! but the 'From' name is not me, which means that the sender didn't use my email to send but used a kind of open-relayed server or something ..
please help what should I do ???
Windows Live™: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
On Wed, May 27, 2009 at 19:23, Khalil Abbas <khillo100@hotmail.com> wrote:
HELP!!
one of my lists has been hacked.. all members are moderated, except my own email address (my@email.com) which I use to post to the list ..
someone sent from my address to the list and all my subscribers has recieved a damn virus as an attachment!! but the 'From' name is not me, which means that the sender didn't use my email to send but used a kind of open-relayed server or something ..
please help what should I do ???
Look at the headers and work out what really happened.
Forging email addresses is trivial. It is the work of a few seconds to send an email with somebody else's email address. You can mitigate somewhat by using SPF and DKIM, but it does require that everybody checks your SPF and DKIM records - not everybody does.
-- Please keep list traffic on the list.
Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche
On May 27, 2009, at 1:23 PM, Khalil Abbas wrote:
all members are moderated, except my own email address
(my@email.com) which I use to post to the list ..
someone sent from my address
the 'From' name is not me,
Please clarify. Did the From line contain your email address (my@email.com ) or not? You seem to be saying two different things.
If, as I suspect, someone is merely forging your address to post to
the list, there are two things that you can do (I would recommend that
you do (1) as an immediate and temporary measure, until you can get
(2) in place).
(1) Moderate even your own postings, so that your list moderator
password is required to post, even if "from" your own address.
(2) Improve the spam/virus filtering on your mailserver. A forged
message from an open relay containing a virus should have been stopped
by your mail system long before it reached mailman.
Cheers,
-j
Jeffrey Goldberg wrote:
On May 27, 2009, at 1:23 PM, Khalil Abbas wrote:
all members are moderated, except my own email address
(my@email.com) which I use to post to the list ..someone sent from my address
the 'From' name is not me,
Please clarify. Did the From line contain your email address (my@email.com ) or not? You seem to be saying two different things.
If, as I suspect, someone is merely forging your address to post to
the list, there are two things that you can do (I would recommend that
you do (1) as an immediate and temporary measure, until you can get
(2) in place).(1) Moderate even your own postings, so that your list moderator
password is required to post, even if "from" your own address.(2) Improve the spam/virus filtering on your mailserver. A forged
message from an open relay containing a virus should have been stopped
by your mail system long before it reached mailman.
Two comments in addition to the above good advice.
Almost anyone can spoof your address in the From: of an email. This does not require an open relay server or anything fancy. Almost any MUA can do it.
That is why for announce lists we recommend moderating everyone and if you want to avoid moderation when posting, use an Approved: header to bypass moderation. See the FAQs at <http://wiki.list.org/x/3YA9> and <http://wiki.list.org/x/XIA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Ok I have a set of problems here..
First, posting to the list using Approved: header as the first line of the message body did not work becasue I'm sending formatted messages using Microsoft outlook with tables n stuff ..
Second, I tried the following: keep an email address as non moderated to be able to post to the list and in General options, I turned the option :
Hide the sender of a message, replacing it with the list address = YES
this way hackers n spammers won't know which address is allowed to post but now the subscribers are recieving From: listname@mydomain.com and not from: 'My web site's Name' which is annoying..
Third, I can't afford to turn everyone's moderation bit on even my own address and then approve the messages using the web interface for 2 reasons:
1- I have 7 lists which is a real pain to log into each one of them and approve the messages..
2- I'm afraid to approve one of the tens of spam and members messages by mistake ..
what's the advice??
Thanks ..
Date: Wed, 27 May 2009 16:39:28 -0700 From: mark@msapiro.net To: jeffrey@goldmark.org; khillo100@hotmail.com CC: mailman-users@python.org Subject: Re: [Mailman-Users] my mailman has been hacked !!
Jeffrey Goldberg wrote:
On May 27, 2009, at 1:23 PM, Khalil Abbas wrote:
all members are moderated, except my own email address (my@email.com) which I use to post to the list ..
someone sent from my address
the 'From' name is not me,
Please clarify. Did the From line contain your email address (my@email.com ) or not? You seem to be saying two different things.
If, as I suspect, someone is merely forging your address to post to the list, there are two things that you can do (I would recommend that you do (1) as an immediate and temporary measure, until you can get (2) in place).
(1) Moderate even your own postings, so that your list moderator password is required to post, even if "from" your own address.
(2) Improve the spam/virus filtering on your mailserver. A forged message from an open relay containing a virus should have been stopped by your mail system long before it reached mailman.
Two comments in addition to the above good advice.
Almost anyone can spoof your address in the From: of an email. This does not require an open relay server or anything fancy. Almost any MUA can do it.
That is why for announce lists we recommend moderating everyone and if you want to avoid moderation when posting, use an Approved: header to bypass moderation. See the FAQs at <http://wiki.list.org/x/3YA9> and <http://wiki.list.org/x/XIA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Windows Live™: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
Khalil Abbas wrote:
First, posting to the list using Approved: header as the first line of the message body did not work becasue I'm sending formatted messages using Microsoft outlook with tables n stuff ..
If you post a multipart/alternative message with a text/plain and a text/html part, the first line Approved: header should work although its removal from the HTML part isn't 100% guaranteed.
Also, I can';t tell you how to do it in MS Outlook, but many MUAs have a mechanism for adding true headers to the mail.
Try <http://www.google.com/#q=add+custom+header+outlook>
Second, I tried the following: keep an email address as non moderated to be able to post to the list and in General options, I turned the option :
Hide the sender of a message, replacing it with the list address = YES
this way hackers n spammers won't know which address is allowed to post but now the subscribers are recieving From: listname@mydomain.com and not from: 'My web site's Name' which is annoying..
And it won't stop the spammers anyway. The spammers may have just been lucky in spoofing your address, and even if you assume the got your list address and posting address from spyware on one of your member's computers, they have it.
Third, I can't afford to turn everyone's moderation bit on even my own address and then approve the messages using the web interface for 2 reasons:
1- I have 7 lists which is a real pain to log into each one of them and approve the messages..
2- I'm afraid to approve one of the tens of spam and members messages by mistake ..
what's the advice??
We gave you the advice. Post with an Approved: header or an Approved: first line in a multipart/alternative message. You can do it.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Jeffrey Goldberg -
Khalil Abbas -
Mark Sapiro -
Rob MacGregor