I'm running Mailman for a list, and one of my subscribers is getting this message from spamalert.net
(VIRUS) Re: [CWC] Fuel Tank Removal Received: Wednesday, Nov 23, 2005 at 9:03pm To: *******@*******.com (removed) mailto:mjpuetz@copper.net From: <******@*******.com mailto:danriffle@yahoo.com> Description: Outlook "CR" vulnerability This message was deleted and cannot be retrieved.
He said if the person sends directly to him, he gets the message just fine. It's when it bounces through Mailman that it picks up this error..
I'm perplexed now. :/
In a flurry of recycled electrons, Rob Poe wrote:
I'm running Mailman for a list, and one of my subscribers is getting this message from spamalert.net
(VIRUS) Re: [CWC] Fuel Tank Removal Received: Wednesday, Nov 23, 2005 at 9:03pm To: *******@*******.com (removed) mailto:mjpuetz@copper.net From: <******@*******.com mailto:danriffle@yahoo.com> Description: Outlook "CR" vulnerability This message was deleted and cannot be retrieved.
He said if the person sends directly to him, he gets the message just fine. It's when it bounces through Mailman that it picks up this error..
Checking on the error in question, (Outlook "CR" vulnerability), something is slipping in a naked <cr> character into the message header. Check all your configs for one of them. Also, is there a '\r' in there somewhere?
Python question- if you use a backslash at the end of a line in a string literal, can that bury a <cr> in the text?
Are you using a MAC, BTW? (Uses <cr> as EOL character.)
I'm perplexed now. :/
Reading spamalert's "support" page, I'm not surprised. It's more of a "no support" page...
z!
Sounds like more of a "throw the baby out with the bathwater" service.
Not ideal, IMO.
Maybe the user could whitelist the address of the mailing list (or the whole domain I use, perhaps)...
It's an unmodified installation of Mailman. only 0.0.1 versions behind what's running this list :0
---------- Original Message ----------- From: cpz@tuunq.com (Carl Zwanzig) To: Rob Poe rob@poeweb.com Cc: mailman-users@python.org Sent: Thu, 24 Nov 2005 09:45:20 -0800 (PST) Subject: Re: [Mailman-Users] Quick question ..
In a flurry of recycled electrons, Rob Poe wrote:
I'm running Mailman for a list, and one of my subscribers is getting this message from spamalert.net
(VIRUS) Re: [CWC] Fuel Tank Removal Received: Wednesday, Nov 23, 2005 at 9:03pm To: *******@*******.com (removed) mailto:mjpuetz@copper.net From: <******@*******.com mailto:danriffle@yahoo.com> Description: Outlook "CR" vulnerability This message was deleted and cannot be retrieved.
He said if the person sends directly to him, he gets the message just fine. It's when it bounces through Mailman that it picks up this error..
Checking on the error in question, (Outlook "CR" vulnerability), something is slipping in a naked <cr> character into the message header. Check all your configs for one of them. Also, is there a '\r' in there somewhere?
Python question- if you use a backslash at the end of a line in a string literal, can that bury a <cr> in the text?
Are you using a MAC, BTW? (Uses <cr> as EOL character.)
I'm perplexed now. :/
Reading spamalert's "support" page, I'm not surprised. It's more of a "no support" page...
z! ------- End of Original Message -------
Rob Poe wrote:
It's an unmodified installation of Mailman. only 0.0.1 versions behind what's running this list :0
I don't know anything about the "(Outlook "CR" vulnerability)" so this may be totally irrelevant, but in Mailman 2.1.5 and earlier ("only 0.0.1 versions behind"), if the original post contains a Cc: header, and all the addresses in the Cc: header are list members who are avoiding dups (often occurs if the OP Cc's herself or a reply Cc's the OP), Mailman will send the post with an empty Cc: header.
-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
For a number of reasons (authentication and talking to the mail server through CLI) we are working on Perl CGI scripts to allow authenticated users create new mailing list through web interface, but we are running into permission issues. Can someone tell us what the permissions and owners of the following files need to be set to?
- The CGI Script being called from the web
- newlist
- config_list
Right now when we try and call newlist from the CGI script, we get a permissions error. Has anyone set anything up like this before?
Thanks. Xiaoyan
Xiaoyan Ma wrote:
Can someone tell us what the permissions and owners of the following files need to be set to?
- The CGI Script being called from the web
If your web server runs this as group 'mailman', that would probably suffice, but see below.
- newlist
- config_list
Right now when we try and call newlist from the CGI script, we get a permissions error.
The scripts in the bin/ directory are not SETGID. This is intentional. You don't want anyone who happens to have shell access to your box to be able to create and configure lists. Thus the scripts have to be run by some user who can create and update files in the mailman hierarchy
- the lists/ directory in particular in this case. Usually, this is root or the mailman user.
If you make newlist and config_list SETGID, that might suffice, but I suggest you also remove the world r and x permissions. E.g.
chmod 2750 newlist
Then you still have the problem that you have to run the script as either the owner or group of the file, but you could change the owner to the user that the CGI script runs as.
Alternatively, you could leave the bin/ scripts alone and make the CGI script group mailman and SETGID.
Whatever you do, you'll probably wind up with a situation where you have to insure that no one who isn't authorized to update mailman has shell access to the box, unless you set the web server to run the CGI as group mailman.
-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
cpz@tuunq.com
-
Mark Sapiro
-
Rob Poe
-
Xiaoyan Ma