[Mailman-Users] Mail Lists, Authorized Posters and Virus/Worm Access
In my community last week, someone gained access to a mail list with hundreds of subscribers by mimicking an email address authorized to post to the list (moderation bit set OFF). In such a case, moderator approval was not required. What resulted was that a worm of the W32Beagle variety was sent to many hundreds of subscribers. I have changed all my mail lists to require active moderation of all posts (moderation bits are ON for all subscribers), and automatic rejection of all posts from non-members.
It appears that it was just a matter of time for someone with ill intent to figure out that the "from" address in a message from a mail list might represent access to the mail list for mischief. It would not appear accidental that a virus or worm operating on some unsuspecting individual's computer accidentally sent itself to the posting address of a mail list as well as from an authorized email address. It is more likely that it was deliberate.
On 5 May 2004, at 09:28, Bob Bowers wrote:
In my community last week, someone gained access to a mail list with hundreds of subscribers by mimicking an email address authorized to post to the list (moderation bit set OFF). In such a case, moderator approval was not required. What resulted was that a worm of the W32Beagle variety was sent to many hundreds of subscribers. I have changed all my mail lists to require active moderation of all posts (moderation bits are ON for all subscribers), and automatic rejection of all posts from non-members.
It appears that it was just a matter of time for someone with ill intent to figure out that the "from" address in a message from a mail list might represent access to the mail list for mischief. It would not appear accidental that a virus or worm operating on some unsuspecting individual's computer accidentally sent itself to the posting address of a mail list as well as from an authorized email address. It is more likely that it was deliberate.
I doubt that the virus writer was targeting mailing lists in this considered fashion; to them, a mail alias is just a mail alias.
I understand these virus types use the MUA address book on machines it infects as a source of mail address to send its progeny on to. One of your list's subscribers was probably the source of the infected message and your list's address just one of a number pillaged from that user's address book as destinations by a promiscuous virus.
In my view, running effective virus (and spam) filtering on your incoming MTA is the secret of happiness. It keeps viruses away from your both your lists' and your real users' mail aliases, and it means you do not have to moderate everything if the virus loaded messages are being silently dropped in the bit bucket by the MTA.
Bob Bowers wrote on Wed, 05 May 2004 01:28:59 -0700:
In my community last week, someone gained access to a mail list with hundreds of subscribers by mimicking an email address authorized to post to the list (moderation bit set OFF). In such a case, moderator approval was not required.
You want to say that someone forged a member email address and posted to the list and it got distributed to the list? There's no "mimicking". You simply subscribe to the list and collect addresses. Or the virus just grabs from what is on the PC and sends to the list with a member's address found in the same mail. Viruses often grab sender and recipient of an email and send two "cross-over" mails to both of them. That happens to all open mailing lists. You can avoid it by virus scanning the list or stripping all (executable) attachments.
Kai
--
Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
On Wed, May 05, 2004 at 01:28:59AM -0700, Bob Bowers wrote:
In my community last week, someone gained access to a mail list with hundreds of subscribers by mimicking an email address authorized to post to the list (moderation bit set OFF).
The shortcoming of this approach to moderation is discussed in the FAQ:
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.011.htpWhat resulted was that a worm of the W32Beagle variety was sent to many hundreds of subscribers.
Sorry to hear that. As others have mentioned, you might want to explore setting up anti-virus filtering on your mail server and/or restrict the types of attachments your mailing list(s) allow.
George
theall@tifaware.com
participants (4)
-
Bob Bowers -
George Theall -
Kai Schaetzl -
Richard Barrett