[ mailman-Bugs-914249 ] Virus posts to moderated lists
SourceForge.net
noreply at sourceforge.net
Thu Mar 11 14:36:43 EST 2004
Bugs item #914249, was opened at 2004-03-11 16:28
Message generated for change (Comment added) made by cepstein
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=914249&group_id=103
Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Ted Peterson (knighted)
Assigned to: Nobody/Anonymous (nobody)
Summary: Virus posts to moderated lists
Initial Comment:
The W32.Beagle virus has been able to post multiple
times to a moderated Mailman 2.1.3 mailing list, so
emergency moderation of the list has been enabled.
At least two other people, as reported on
mailman-users, have had this trouble since last
Friday, March 5th, when W32.Beagle was spreading.
The virus was posting using a moderator address, so
that moderator was removed. The moderator bit is
and was turned on for all users, including the now
*sole* moderator. I can send the mbox archive
headers to anybody who is interested.
Mail: ted <at> ire.org
--Ted
----------------------------------------------------------------------
Comment By: Caleb Epstein (cepstein)
Date: 2004-03-11 19:36
Message:
Logged In: YES
user_id=36183
The virus is making it through to the lists by using an
"envelope-from" (I believe that is the right term) of a valid,
subscribed list member, but a From: header which is some
address that does not exist and is not a member of the list
(usually admin@ or management@ the mailing list's domain).
See for example the message at http://bklyn.
org/~cae/mailman-stumper.txt
This message appears first in the MTA's logs as:
2004-03-11 16:31:44 1B1T5z-0009zY-00 <=
SUBSCRIBER at DOMAIN.COM H=(srr2) [192.168.100.17] P=smtp
S=17730 id=pbecvykwgcgqjemyxjx at Etree.org from
<SUBSCRIBER at DOMAIN.COM> for Announce at etree.org
where SUBSCRIBER at DOMAIN.COM is a valid list subscriber with
posting privileges.
----------------------------------------------------------------------
Comment By: NancyS (nes49)
Date: 2004-03-11 19:15
Message:
Logged In: YES
user_id=995718
As one of the other people reporting the problem, let me add
a bit of info on our experience.
Mailman 2.1.1
My hypothesis now is that one of the people who could post
without moderation released the virus. [I haven't been able to
get definitive confirmation of that, but coupling "we were
having some trouble" with a match on the ISP domain name
leads me to that guess.] I haven't been able to tie the
messages to a specific address subscribed to the list, but
would be glad to probe further if given some direction.
We haven't seen any additional occurrences since turning on
moderation for all users.
Between the first and second attack, I changed the
passwords for the affected lists thinking that an Approved:
header might have been used, but there's no evidence that
was the case.
-Nancy
mailman <at> sgtst.com
----------------------------------------------------------------------
Comment By: dk (karres)
Date: 2004-03-11 17:28
Message:
Logged In: YES
user_id=995621
... sorry, hit the submit button too soon...
THe nom-member messages that get past the non-member filter
are being caught by the forced moderation so the messages
are not getting to the list itself. It does make us nervous
though.
----------------------------------------------------------------------
Comment By: dk (karres)
Date: 2004-03-11 17:20
Message:
Logged In: YES
user_id=995621
More generally we have only moderated, read-only lists for
our users. All incoming, non-member messages should be
discarded. We are seeing a few virus laden messages from
obvious non-members getting past the non-member filters.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=914249&group_id=103
More information about the Mailman-coders
mailing list