Virus Just Got Through on TOTALLY MODERATED list.
Guys,
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.htm...
Are there any known and open bugs in 2.1.5 that would allow this behavior?
Is there any way of telling in the headers (or archives, or logs?) how a message was approved?
Here's the headers:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <varoots@gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <vgc-announce@vagrassroots.org>; Thu, 27 Jan 2005 21:15:35 -0500 (EST) Date: Thu, 27 Jan 2005 21:05:09 -0500
Any ideas?
-Dan Mahoney
--
"Ca. Tas. Tro. Phy."
-John Smedley, March 28th 1998, 3AM
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org
Maybe you should install a virus scanning feature to your mailer?
I use mimedefang which has a hook to many different virus scanning products. I use f-prot.
My platform:
Fedora Core 2 Sendmail 8.13.1 mimedefang 2.48 f-prot linux ws 4.4.2
this configuration discards infected email messages.
Jeff g.
Dan Mahoney, System Admin wrote:
Guys,
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.htm...
Are there any known and open bugs in 2.1.5 that would allow this behavior?
Is there any way of telling in the headers (or archives, or logs?) how a message was approved?
Here's the headers:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <varoots@gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <vgc-announce@vagrassroots.org>; Thu, 27 Jan 2005 21:15:35 -0500 (EST) Date: Thu, 27 Jan 2005 21:05:09 -0500
Any ideas?
-Dan Mahoney
--
"Ca. Tas. Tro. Phy."
-John Smedley, March 28th 1998, 3AM
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
-- Law of Procrastination: Procrastination avoids boredom; one never has the feeling that there is nothing important to do.
Agreed: I run Fedora Core 2 with Mailman on one of my mail servers, using MIMEDefang with SpamAssassin and Clam Antivirus, along with having my lists fully moderated. I've never had even one spam or virus get through (lists have been up for several years; started with RedHat 6.2 or 7.1 and Mailman 2.0.7, as I recall).
Bob
On Fri, 28 Jan 2005, Jeff Groves wrote:
Maybe you should install a virus scanning feature to your mailer?
I use mimedefang which has a hook to many different virus scanning products. I use f-prot.
My platform:
Fedora Core 2 Sendmail 8.13.1 mimedefang 2.48 f-prot linux ws 4.4.2
this configuration discards infected email messages.
Jeff g.
Bob Sully - Simi Valley, California, USA http://www.malibyte.net http://www.malibyte.com
"There will be no white flag above my door."
Dan Mahoney wrote:
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.htm...
Are there any known and open bugs in 2.1.5 that would allow this behavior?
I don't think so. If as you say, all member's "mod" bit is on, and no one is in accept_these_nonmembers, and generic_nonmember_action is other than "Accept", then the only way I know for a message to get through without explicit moderator action is for the message to contain an Approved: header (or first line of body) with the list password. I'd guess that any message generated by a windows e-mail worm would not have this. Thus, I don't know how it got through.
Is there any way of telling in the headers (or archives, or logs?) how a message was approved?
If it was actually approved, there should be an entry in Mailman's vette log. If it just "went through", I don't think there is any way to know why at this point.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Dan Mahoney, System Admin wrote:
Guys,
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.htm...
OK, I'm just speculating here... what if there's a virus/trojan out that is able to take email that a user had already sent (email in the "sent" folder), and resend it with a virus payload (in this case, the beagle.ba virus above)? If it grabbed an email that the moderator had sent to the list with the Approved: password included, and just appended the virus payload, it would result in what you saw, right? What was the subject of the virus-laden email, was it a subject that had been previously posted to your list.
<soapbox> This is why my lists don't allow any attachments at all. IMHO, the "benefits" of making it easy for people to send files to a mailing list are outweighed by the "costs" (when a virus gets thru). I tell posters to put the file on a server and then email a post with a link to the file. </soapbox>
jc
On Fri, 28 Jan 2005 22:50:11 -0800, JC Dill <lists05@equinephotoart.com> wrote:
OK, I'm just speculating here... what if there's a virus/trojan out that is able to take email that a user had already sent (email in the "sent" folder), and resend it with a virus payload (in this case, the beagle.ba virus above)? If it grabbed an email that the moderator had sent to the list with the Approved: password included, and just appended the virus payload, it would result in what you saw, right? What was the subject of the virus-laden email, was it a subject that had been previously posted to your list.
The FAQ states that Mailman removes the Approved header before sending the message out to the list. So the only way for a virus to grab the Approved header with the password is if the list moderator is infected and kept a previously sent message with the Approved header. Certainly possible but not with Beagle (iirc) which creates a new mail message and only grabs email addresses from existing messages. There are some viruses which do resend existing messages in the infected computer's mail folders, adding on the virus attachment, but that wasn't the case with Beagle.
-- hth, Stephanie
Links blog: http://alice.ttlg.net/links/ Glenfinnan Web Hosting: http://www.glenfinnan.net/
At 10:50 PM -0800 2005-01-28, JC Dill wrote:
OK, I'm just speculating here... what if there's a virus/trojan out that is able to take email that a user had already sent (email in the "sent" folder), and resend it with a virus payload (in this case, the beagle.ba virus above)? If it grabbed an email that the moderator had sent to the list with the Approved: password included, and just appended the virus payload, it would result in what you saw, right?
One flaw in this theory -- the Approved: header gets stripped before the message is posted to the list. The only way the Approved: header could get captured by the virus would be if the moderator's account is the one that got infected, and the virus pulled the approved message out of the "sent" mailbox of the moderator.
Even then, most moderators work via the web and not via e-mail, so this would be a very low probability of success.
<soapbox> This is why my lists don't allow any attachments at all. IMHO, the "benefits" of making it easy for people to send files to a mailing list are outweighed by the "costs" (when a virus gets thru). I tell posters to put the file on a server and then email a post with a link to the file. </soapbox>
Agreed. E-mail should not be abused as a file transfer protocol. There are better ways to handle that issue.
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info.
Brad Knowles wrote:
At 10:50 PM -0800 2005-01-28, JC Dill wrote:
OK, I'm just speculating here... what if there's a virus/trojan out that is able to take email that a user had already sent (email in the "sent" folder), and resend it with a virus payload (in this case, the beagle.ba virus above)? If it grabbed an email that the moderator had sent to the list with the Approved: password included, and just appended the virus payload, it would result in what you saw, right?
One flaw in this theory -- the Approved: header gets strippedbefore the message is posted to the list. The only way the Approved: header could get captured by the virus would be if the moderator's account is the one that got infected, and the virus pulled the approved message out of the "sent" mailbox of the moderator.
Didn't I say that above?
Even then, most moderators work via the web and not via e-mail, sothis would be a very low probability of success.
Most moderators use the web to approve email from *others*, but most of the ones I know who are responsible for originating content for their list use the approved header when they send the content to their list so that they don't have to take an additional step of going to the webpage to approve the message they just sent. My speculation is about this exact scenario, a moderator who uses the approved header has old email with that header in their "sent" box, and a virus/trojan grabbed one of those messages and resent it (with the approved header) with the virus payload attached.
If it hasn't happened yet, then "yet" is the critical factor. It's going to happen someday...
jc
JC Dill wrote:
Most moderators use the web to approve email from *others*, but most of the ones I know who are responsible for originating content for their list use the approved header when they send the content to their list so that they don't have to take an additional step of going to the webpage to approve the message they just sent. My speculation is about this exact scenario, a moderator who uses the approved header has old email with that header in their "sent" box, and a virus/trojan grabbed one of those messages and resent it (with the approved header) with the virus payload attached.
If it hasn't happened yet, then "yet" is the critical factor. It's going to happen someday...
I certainly agree that the above scenario is possible and that someday it may happen, but it didn't happen in the case reported at the start of this thread. The OP gave a link to Symantec's description of the identified worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.htm...
This worm harvests e-mail addresses from many places on a newly infected computer, but it doesn't use found e-mail as a template for sending itself out. It creates its own subject and body for the outgoing mail.
Furthermore, if such a scenario has occurred or did occur in the future, I suspect it would be just an unlucky accident. While I'm sure that a clever worm creator could deliberately try to exploit this potential vulnerability, I don't think the payoff would be sufficient to justify the attack.
First of all, the attack would rely on a list administrator keeping a copy of a sent post with the approval in it. Then this administrator who at least statistically is likely to be much more savey about viruses and worms than the typical user would have to receive and execute the incoming worm on the appropriate hardware/OS platform. And finally, the list would have to allow executable attachments and not otherwise block the worm. Then, if all the conditions were met, the payoff would be another hundred or thousand or so potential recipients. It just seems to me that the expected increase in the number of recipients due to deliberately implementing this attack wouldn't be great enough to bother with.
That's not to say that it couldn't or wouldn't occur by accident. If there are or will be worms that use e-mail found on a machine as a template for sending themselves out, I'm sure that eventually this will happen.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro wrote:
Furthermore, if such a scenario has occurred or did occur in the future, I suspect it would be just an unlucky accident. While I'm sure that a clever worm creator could deliberately try to exploit this potential vulnerability, I don't think the payoff would be sufficient to justify the attack.
First of all, the attack would rely on a list administrator
An attack of this type would not be just for list administrator posts.
It would also get past whitelist filters - because the message would
come from someone you have already received email from and are much more
likely to be accepting email from than some random stranger address. If
we haven't seen it it's just because we haven't seen it *yet*. I'm sure
spammers are busy working on something like this right now, as a way to
create more zombies with their virus/trojan payload.
So I repeat my <soapbox> statement, don't allow attachments to your mailing list. The downside is too great, sooner or later your list WILL end up spreading a virus.
jc
At 10:23 AM -0800 2005-01-29, JC Dill wrote:
So I repeat my <soapbox> statement, don't allow attachments to your mailing list. The downside is too great, sooner or later your list WILL end up spreading a virus.
Absolutely. Can't argue with that.-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info.
JC Dill wrote:
An attack of this type would not be just for list administrator posts.
It would also get past whitelist filters - because the message would come from someone you have already received email from and are much more likely to be accepting email from than some random stranger address. If we haven't seen it it's just because we haven't seen it *yet*. I'm sure spammers are busy working on something like this right now, as a way to create more zombies with their virus/trojan payload.
We definitely have seen the "whitelist" attack. I think the majority of todays worms harvest addresses from an infected machine and spoof one of them as the sender on the theory that the addresses found on a given machine are members of an affinity group of some kind and are more likely to accept mail from one of their own than from a random address.
I have seen this result in a worm being posted to a list because the list address was found on a machine and the spoofed sender also found on the machine happened to be a list member. I've not seen this on any of my Mailman lists and I won't see the payload in any case because the lists don't allow attachments, but I have seen it on Yahoo Groups.
So I repeat my <soapbox> statement, don't allow attachments to your mailing list. The downside is too great, sooner or later your list WILL end up spreading a virus.
And I agree. I don't allow attachments on any lists that I manage and I encourage others to do the same. There are other ways to make binary information available to a group.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
At 8:50 AM -0800 2005-01-29, JC Dill wrote:
Didn't I say that above?
Not that I saw, no. What I read of your message indicated that the virus had infected a normal user and pulled a message out of their sent folder, which would not have had the Approved: header.
Even then, most moderators work via the web and not via e-mail, sothis would be a very low probability of success.
Most moderators use the web to approve email from *others*, but most of the ones I know who are responsible for originating content for their list use the approved header when they send the content to their list so that they don't have to take an additional step of going to the webpage to approve the message they just sent.
Most moderators I know of don't need to use the Approved: header, because they themselves are not moderated on their own lists. But then maybe you know more moderators than I do.
If it hasn't happened yet, then "yet" is the critical factor. It's going to happen someday...
True enough.
I still think it's a lot of work for a virus to go through, but when they do finally run into a moderator that uses this technique, there is a high chance of successful transmission to a large number of other targets.
I guess the question is when does the probability go up enough that the payoff justifies the amount of input work?
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info.
Brad Knowles wrote:
At 8:50 AM -0800 2005-01-29, JC Dill wrote:
Didn't I say that above?
Not that I saw, no. What I read of your message indicated thatthe virus had infected a normal user and pulled a message out of their sent folder, which would not have had the Approved: header.
In my first post in this thread I wrote:
"what if there's a virus/trojan out that is able to take email that a user had already sent (email in the "sent" folder), and resend it with a virus payload (in this case, the beagle.ba virus above)? If it grabbed an email that the moderator had sent to the list with the Approved: password included, and just appended the virus payload, it would result in what you saw, right?"
Most moderators I know of don't need to use the Approved: header,because they themselves are not moderated on their own lists. But then maybe you know more moderators than I do.
The ones I know that do this elect to use this method to prevent forged posts "from" them to their one-way (newsletter) lists. If all posts must be approved one way or another, then random forged posts (using addresses found on a victim's computer) won't get distributed to the list. But if a virus/trojan goes a step further and instead of just using address found it uses actual previously sent email, and there is saved email with the Approved: header, then that virus/trojan would be able to forge a post to the list that would have the Approved: header, and thus be distributed to the list.
jc
I am trying to come up with a good "starter" filter_mime_types list. I went through my /etc/mime.types and picked-out all of the top level identifiers that I knew for sure that I didn't want... At least I think I'm sure...
Anyway, here's my list:
image application audio model video
Have I made any blunders choosing these?
Thanks,
Jeff G.
Jeff Groves wrote:
I am trying to come up with a good "starter" filter_mime_types list. I went through my /etc/mime.types and picked-out all of the top level identifiers that I knew for sure that I didn't want... At least I think I'm sure...
Anyway, here's my list:
image application audio model video
Have I made any blunders choosing these?
If you want to allow pgp signed messages, you will lose the signature which is application/pgp-signature
I think people tend to use the pass_mime_types rather than filter_mime_types. A reasonable list for pass_mime_types for allowing plain text and pgp signatures only is
multipart/mixed multipart/alternative multipart/signed application/pgp-signature message/rfc822 text/plain
See http://mail.python.org/pipermail/mailman-users/2005-January/041697.html and http://mail.python.org/pipermail/mailman-users/2005-January/041706.html for some discussion of this.
If you want, you can add text/html to this list, but see for example http://mail.python.org/pipermail/mailman-users/2005-January/041763.html for some discussion of the implications.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 28 Jan 2005 20:31:19 -0500 (EST), Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.htm...
Are there any known and open bugs in 2.1.5 that would allow this behavior?
<snip>
Here's the headers:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org>
While that's the address shown in the From field, Beagle puts other addresses in the Mail From and Envelope From and Mailman's default config is to also check those fields for email addresses allowed to post to the list unmoderated and Mailman removes those headers when repackaging the message to send out to the list members.
I found this out when Beagle.C first appeared almost a year ago. It posted with a non-member address on a list that only allowed members to post. IE., Beagle put a non-member address in visible From field and a member address in Mail-From field. Mailman checked From field, not allowed to post as non-member and it checked Mail-From field, that was a member allowed to post unmoderated and so it accepted the message and sent it out to the list. The list stripped attachments so the virus didn't go thru but I had dozens of people out of the 1,100 members asking where they needed to sign up to continue getting list mail.
After I found out that Mailman checked more than the visible From field, I changed the default config to only check the visible From field so that viruses couldn't sneak thru anymore.
Since you said your list is fully moderated, you need to check to see if *anyone* is listed in the box for "List of non-member addresses whose postings should be automatically accepted." (even members - if a list member is listed in that box, it will override their moderation bit, I think) in the Sender Filters page and check that *everyone's* mod bit is set to moderated. Also set the default for new members to moderated.
And if you want to, in the mm_cfg.py file, add this line:
SENDER_HEADERS = ('from')
which will force Mailman to look only at the From field.
-- hth, Stephanie
Links blog: http://alice.ttlg.net/links/ Glenfinnan Web Hosting: http://www.glenfinnan.net/
On Fri, 28 Jan 2005 20:31:19 -0500 (EST), "Dan Mahoney, System Admin" <danm@prime.gushi.org> wrote:
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
so what happened Dan? 15 people have replied to your post. i'm waiting to hear if you discovered anything. did you check the vette log?
ciao, david
On Thu, 3 Feb 2005, David M.Besonen wrote:
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
so what happened Dan? 15 people have replied to your post. i'm waiting to hear if you discovered anything. did you check the vette log?
I saw a lot of people saying "this is why I strip attachments". I saw Stephanie's (very helpful) post, but when I checked the box she referenced I found it empty, as I expected. I found that even the list owner's mod bit (who the virus spoofed) was set, and the list owner in turn scanned his own machine for virii right after this got out. Nada.
I checked the vette log. The message isn't even in there. Some of the auto-replies to it are (i.e. "message rejected, it's a virus"). And the message shows in the pipermail archives.
In the end, this group I'm working with has had a lot of unsubscribes as a result of this, and are switching to a different system that I'm not hosting, so I'm a bit apathetic about the whole deal. I'm still sure there's something I'm missing, and if someone wanted to try and give me a clue as to how this happened, I've saved that day's sendmail logs, and I've got all the following:
Here's the message in the archives:
http://lists.vagrassroots.org/pipermail/vgc-announce/2005q1/000038.html
Here's a snippet of that day's vette log:
Jan 26 21:26:54 2005 (39137) Vgc-announce post from ericgraves@earthlink.net held, message-id=<01a901c50416$42a15c70$a3bafea9 @micronxp>: Message has implicit destination Jan 26 21:28:58 2005 (3682) held message approved, message-id: <01a901c50416$42a15c70$a3bafea9@micronxp> Jan 26 21:28:58 2005 (3682) vgc-announce: Discarded posting: From: tfinnman2@aol.com Subject: Fwd: FW: Media Advisory Reason: No reason given Jan 27 23:12:05 2005 (39137) Vgc-announce post from chirpybird.mac@mindspring.com held, message-id=<05b001c504ef$a199e740$6b0 c45cf@molly>: Post to moderated list Jan 27 23:25:36 2005 (39137) Vgc-announce post from ericgraves@earthlink.net held, message-id=<010901c504ef$fe21a5c0$a3bafea9 @micronxp>: Post to moderated list Jan 27 23:27:42 2005 (39495) held message approved, message-id: <010901c504ef$fe21a5c0$a3bafea9@micronxp> Jan 27 23:27:43 2005 (39495) vgc-announce: Refused posting: From: chirpybird.mac@mindspring.com Subject: Reply: virus in your message from: [Virginia Grassroots Coalition] Delivery by mail Reason: No reason given Jan 28 08:46:48 2005 (39137) Vgc-announce post from eric@vagrassroots.org held, message-id=<nposdocvhojlaxmnuob@vagrassroots. org>: Post by non-member to a members-only list Jan 28 08:53:02 2005 (99241) vgc-announce: Discarded posting: From: eric@vagrassroots.org Subject: Delivery service mail Reason: No reason given
Here's the full headers of the thing:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <varoots@gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <vgc-announce@vagrassroots.org>; Thu, 27 Jan 2005 21:15:35 -0500 (EST) Date: Thu, 27 Jan 2005 21:05:09 -0500 From: "Ericgraves" <ericgraves@earthlink.net> Message-ID: <qekkbjguqcsiaoconcz@vagrassroots.org> MIME-Version: 1.0 X-Security: MIME headers sanitized on prime.gushi.org See http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07 X-Security: The postmaster has not enabled quarantine of poisoned messages. Content-Type: multipart/mixed; boundary="--------qptymaiwwlishntudcfk" Subject: [Virginia Grassroots Coalition] Delivery by mail X-BeenThere: vgc-announce@vagrassroots.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eric@vagrassroots.org Cc: Virginia Grassroots Coalition Broadcast <vgc-announce@vagrassroots.org> List-Id: Virginia Grassroots Coalition Broadcast <vgc-announce.vagrassroots.org> List-Unsubscribe: <http://lists.vagrassroots.org/mailman/listinfo/vgc-announce>, <mailto:vgc-announce-request@vagrassroots.org?subject=unsubscribe> List-Archive: <http://lists.vagrassroots.org/pipermail/vgc-announce> List-Help: <mailto:vgc-announce-request@vagrassroots.org?subject=help> List-Subscribe: <http://lists.vagrassroots.org/mailman/listinfo/vgc-announce>, <mailto:vgc-announce-request@vagrassroots.org?subject=subscribe> To: varoots@gushi.org Sender: vgc-announce-bounces+varoots=gushi.org@vagrassroots.org Errors-To: vgc-announce-bounces+varoots=gushi.org@vagrassroots.org X-Envelope-To: varoots@gushi.org X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on prime.gushi.org X-Spam-Status: No, score=2.7 required=5.0 tests=BAYES_00,HTML_50_60, HTML_MESSAGE,HTML_SHORT_LENGTH,MSGID_SPAM_LETTERS,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.2 X-Spam-Level: ** P
ciao, david
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
--
I am now a lesbian. I don't like men, but thank you for writing.
-Reply to my response to a personal ad, May 30th, 1998.
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org
Hi,
Dan Mahoney, System Admin wrote:
I saw a lot of people saying "this is why I strip attachments".
Mailman 2.1.6 has a nice feature for those who can't strip attachments; the new spam filter 'header_filter_rules' checks attachments' headers recursively. So, messages which have executable attatchments can be held, rejected, or discarded by your configuration. Regex patten like:
content-.*name.*\.(exe|com|cmd|bat|pif|vbs|scr|zip)can match most of the current virus messages. Mailman 2.1.6 beta 2 can be downloaded from http://mm.tkikuchi.net/mailman-2.1.6b2.tgz
Cheers,
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/
At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote:
I checked the vette log. The message isn't even in there. Some of the auto-replies to it are (i.e. "message rejected, it's a virus"). And the message shows in the pipermail archives.
In that case, are you sure that the message passed through your system? Maybe the virus spoofed more than just your moderators address....
Here's the full headers of the thing:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <varoots@gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <vgc-announce@vagrassroots.org>; Thu, 27 Jan 2005 21:15:35 -0500 (EST)
I only see two Received: headers here. This is not nearly enough. There's a lot of data that appears to be missing.
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info.
Brad Knowles wrote:
At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote:
I checked the vette log. The message isn't even in there. Some of the auto-replies to it are (i.e. "message rejected, it's a virus"). And the message shows in the pipermail archives.
In that case, are you sure that the message passed through your system? Maybe the virus spoofed more than just your moderators address....
Here's the full headers of the thing:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <varoots@gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <vgc-announce@vagrassroots.org>; Thu, 27 Jan 2005 21:15:35 -0500 (EST)
I only see two Received: headers here. This is not nearly enough. There's a lot of data that appears to be missing.
I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log.
The real problem is that other than Brad's suggestion above, these headers really don't tell us much. What we'd really like to see is the incoming message as received by Mailman. Of course, there's no way to do that.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro wrote:
Brad Knowles wrote:
At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote:
I checked the vette log. The message isn't even in there. Some of the auto-replies to it are (i.e. "message rejected, it's a virus"). And the message shows in the pipermail archives.
In that case, are you sure that the message passed through your system? Maybe the virus spoofed more than just your moderators address....
Here's the full headers of the thing:
Return-Path: <vgc-announce-bounces+varoots=gushi.org@vagrassroots.org> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <varoots@gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <vgc-announce@vagrassroots.org>; Thu, 27 Jan 2005 21:15:35 -0500 (EST)
I only see two Received: headers here. This is not nearly enough. There's a lot of data that appears to be missing.
I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log.
I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm.
Jeff G.
-- Law of Procrastination: Procrastination avoids boredom; one never has the feeling that there is nothing important to do.
On Sat, 5 Feb 2005, Jeff Groves wrote:
I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log.
Jan 27 22:55:10 2005 (39139) post to vgc-announce from ericgraves@earthlink.net, size=39384, message-id=<qekkbjguqcsiaoconcz@vagrassroots.org>, success
I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm.
Jeff, I had already worked out that much. And it might have trolled the list posting address from an address book or a previous email...but...
(This is the question I've been wanting the answer to the whole time)...Why did it not require approval? When Eric Graves (the same guy, same email address, the list owner and moderator), goes to make a post, it gets held back with a "requires approval". Up until recently, we took this as a sign that security was as it should be. Even if someone spoofed the email address, we'd have a chance to catch it.
Why isn't it in the vette log?
If the worm spoofed all the x-mailman headers and everything, and magically managed to insert itself into the pipermail archives, why are the logs missing?
--
"Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged! I've never been so in touch with my emotions!"
-AndrAIa as Hexadecimal, Reboot Episode 3.2.3
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org
Dan Mahoneywrote:
On Sat, 5 Feb 2005, Jeff Groves wrote:
I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log.
Jan 27 22:55:10 2005 (39139) post to vgc-announce from ericgraves@earthlink.net, size=39384, message-id=<qekkbjguqcsiaoconcz@vagrassroots.org>, success
I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm.
Jeff, I had already worked out that much. And it might have trolled the list posting address from an address book or a previous email...but...
- (This is the question I've been wanting the answer to the whole time)...Why did it not require approval? When Eric Graves (the same guy, same email address, the list owner and moderator), goes to make a post, it gets held back with a "requires approval". Up until recently, we took this as a sign that security was as it should be. Even if someone spoofed the email address, we'd have a chance to catch it.
We clearly don't know the answer to this. Assuming it is in the 'post' log and thus for sure came from the list and wasn't just spoofed to look like it came from the list, the only way I know for it to get through is if it contained an Approved: header or first line with the list password.
There was some conjecture earlier in this thread about how this might happen, but it seems highly unlikely and the characteristics of w32.beagle.ba@mm which you identified in the OP would seem to preclude it, so I'm at a loss for an explanation.
- Why isn't it in the vette log?
Because it wasn't held for approval.
- If the worm spoofed all the x-mailman headers and everything, and magically managed to insert itself into the pipermail archives, why are the logs missing?
I forgot you said it was in the archive. Was there an entry in the 'post' log? Was there an entry or entries in the 'smtp' log? If these are absent, it may be a clue.
As I said before, the information we really need in order to figure this out would be the post as received by Mailman, not the one sent out, but there's no way to get this from Mailman after the fact.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Sat, 5 Feb 2005, Mark Sapiro wrote:
Dan Mahoneywrote:
On Sat, 5 Feb 2005, Jeff Groves wrote:
I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log.
Jan 27 22:55:10 2005 (39139) post to vgc-announce from ericgraves@earthlink.net, size=39384, message-id=<qekkbjguqcsiaoconcz@vagrassroots.org>, success
I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm.
Jeff, I had already worked out that much. And it might have trolled the list posting address from an address book or a previous email...but...
- (This is the question I've been wanting the answer to the whole time)...Why did it not require approval? When Eric Graves (the same guy, same email address, the list owner and moderator), goes to make a post, it gets held back with a "requires approval". Up until recently, we took this as a sign that security was as it should be. Even if someone spoofed the email address, we'd have a chance to catch it.
We clearly don't know the answer to this. Assuming it is in the 'post' log and thus for sure came from the list and wasn't just spoofed to look like it came from the list, the only way I know for it to get through is if it contained an Approved: header or first line with the list password.
There was some conjecture earlier in this thread about how this might happen, but it seems highly unlikely and the characteristics of w32.beagle.ba@mm which you identified in the OP would seem to preclude it, so I'm at a loss for an explanation.
- Why isn't it in the vette log?
Because it wasn't held for approval.
- If the worm spoofed all the x-mailman headers and everything, and magically managed to insert itself into the pipermail archives, why are the logs missing?
I forgot you said it was in the archive. Was there an entry in the 'post' log? Was there an entry or entries in the 'smtp' log? If these are absent, it may be a clue.
As I said before, the information we really need in order to figure this out would be the post as received by Mailman, not the one sent out, but there's no way to get this from Mailman after the fact.
*that* is a problem. I see no reason there shouldn't be an option to log this (either in the archives or a logfile, or maybe a "view original post" option in the archives, something possibly admin-only?.
-Dan
--
"You're not normal!"
-Michael G. Kessler, referring to my modem online time.
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org
At 9:59 AM -0500 2005-02-08, Dan Mahoney, System Admin quoted Mark Sapiro:
As I said before, the information we really need in order to figure this out would be the post as received by Mailman, not the one sent out, but there's no way to get this from Mailman after the fact.
*that* is a problem. I see no reason there shouldn't be an option to log this (either in the archives or a logfile, or maybe a "view original post" option in the archives, something possibly admin-only?.
The message as it was originally received by Mailman should be in the appropriate /usr/local/mailman/archives/private/listname.mbox/listname.mbox file, and the admin would be able to inspect that to get an idea of what happened. At least, I think the message gets saved there before stripping and sanitization is performed.
As far as log data is concerned, assuming you get there before the data in syslog is aged out and thrown away, you should have a record of that message-id coming into the system, and then a different message-id going back out (after the mailing list sanitization is done, etc...).
Unfortunately, Mailman doesn't provide a whole lot of logging data itself, so it takes more work to figure out what features were/were not triggered, in which logs there may be useful data, etc....
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info.
Brad Knowles wrote:
At 9:59 AM -0500 2005-02-08, Dan Mahoney, System Admin quoted Mark Sapiro:
As I said before, the information we really need in order to figure this out would be the post as received by Mailman, not the one sent out, but there's no way to get this from Mailman after the fact.
*that* is a problem. I see no reason there shouldn't be an option to log this (either in the archives or a logfile, or maybe a "view original post" option in the archives, something possibly admin-only?.
The message as it was originally received by Mailman should be in the appropriate /usr/local/mailman/archives/private/listname.mbox/listname.mbox file,
Actually, the message in the listname.mbox/listname.mbox has had a lot done to it. It's been through Approve which would have removed any Approved: header or initial body line and it's been through Cleanse and CookHeaders (at least if the default pipeline isn't changed). About the only useful info which isn't in the final outgoing message is the incoming envelope sender.
Here's a thought though. If you're concerned about this happening again, create a pipline attribute for the list with an additional handler, say 'LogIncoming' between 'SpamDetect' and 'Approve'. See GLOBAL_PIPELINE in Defaults.py. Or you could do it for all lists by just putting a new GLOBAL_PIPELINE in mm_cfg.py.
Before doing any of this, you would create Mailman/Handlers/LogIncoming.py to log the incoming message (or maybe just the headers and first few lines of the body of the incoming message).
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 28 Jan 2005 20:31:19 -0500 (EST), "Dan Mahoney, System Admin" <danm@prime.gushi.org> wrote:
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
so what happened Dan? 15 people have replied to your post. i'm waiting to hear if you discovered anything. did you check the vette log?
ciao, david
participants (9)
-
Bob Sully -
Brad Knowles -
Dan Mahoney, System Admin -
David M.Besonen -
JC Dill -
Jeff Groves -
Mark Sapiro -
Stephanie -
Tokio Kikuchi