[ mailman-Bugs-914249 ] Virus posts to moderated lists

SourceForge.net noreply at sourceforge.net
Thu Mar 11 14:36:43 EST 2004

Bugs item #914249, was opened at 2004-03-11 16:28
Message generated for change (Comment added) made by cepstein
You can respond by visiting: 

Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Ted Peterson (knighted)
Assigned to: Nobody/Anonymous (nobody)
Summary: Virus posts to moderated lists

Initial Comment:
The W32.Beagle virus has been able to post multiple 
times to a moderated Mailman 2.1.3 mailing list, so 
emergency moderation of the list has been enabled.
At least two other people, as reported on 
mailman-users, have had this trouble since last 
Friday, March 5th, when W32.Beagle was spreading.

The virus was posting using a moderator address, so 
that moderator was removed.  The moderator bit is 
and was turned on for all users, including the now 
*sole* moderator.  I can send the mbox archive 
headers to anybody who is interested.  

Mail:  ted <at> ire.org


Comment By: Caleb Epstein (cepstein)
Date: 2004-03-11 19:36

Logged In: YES 

The virus is making it through to the lists by using an 
"envelope-from" (I believe that is the right term) of a valid, 
subscribed list member, but a From: header which is some 
address that does not exist and is not a member of the list 
(usually admin@ or management@ the mailing list's domain).

See for example the message at http://bklyn.

This message appears first in the MTA's logs as:

2004-03-11 16:31:44 1B1T5z-0009zY-00 <= 
SUBSCRIBER at DOMAIN.COM H=(srr2) [] P=smtp 
S=17730 id=pbecvykwgcgqjemyxjx at Etree.org from 
<SUBSCRIBER at DOMAIN.COM> for Announce at etree.org

where SUBSCRIBER at DOMAIN.COM is a valid list subscriber with 
posting privileges.


Comment By: NancyS (nes49)
Date: 2004-03-11 19:15

Logged In: YES 

As one of the other people reporting the problem, let me add 
a bit of info on our experience.

Mailman 2.1.1

My hypothesis now is that one of the people who could post 
without moderation released the virus. [I haven't been able to 
get definitive confirmation of that, but coupling "we were 
having some trouble" with a match on the ISP domain name 
leads me to that guess.] I haven't been able to tie the 
messages to a specific address subscribed to the list, but 
would be glad to probe further if given some direction.

We haven't seen any additional occurrences since turning on 
moderation for all users.

Between the first and second attack, I changed the 
passwords for the affected lists thinking that an Approved: 
header might have been used, but there's no evidence that 
was the case.

mailman <at> sgtst.com


Comment By: dk (karres)
Date: 2004-03-11 17:28

Logged In: YES 

... sorry, hit the submit button too soon...

THe nom-member messages that get past the non-member filter
are being caught by the forced moderation so the messages
are not getting to the list itself.  It does make us nervous


Comment By: dk (karres)
Date: 2004-03-11 17:20

Logged In: YES 

More generally we have only moderated, read-only lists for
our users.  All incoming, non-member messages should be
discarded.  We are seeing a few virus laden messages from
obvious non-members getting past the non-member filters.


You can respond by visiting: 

More information about the Mailman-coders mailing list