[ mailman-Bugs-914249 ] Virus posts to moderated lists

SourceForge.net noreply at sourceforge.net
Fri Mar 19 11:12:48 EST 2004


Bugs item #914249, was opened at 2004-03-11 11:28
Message generated for change (Comment added) made by sekhar-cu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=914249&group_id=103

Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Ted Peterson (knighted)
Assigned to: Nobody/Anonymous (nobody)
Summary: Virus posts to moderated lists

Initial Comment:
The W32.Beagle virus has been able to post multiple 
times to a moderated Mailman 2.1.3 mailing list, so 
emergency moderation of the list has been enabled.
At least two other people, as reported on 
mailman-users, have had this trouble since last 
Friday, March 5th, when W32.Beagle was spreading.

The virus was posting using a moderator address, so 
that moderator was removed.  The moderator bit is 
and was turned on for all users, including the now 
*sole* moderator.  I can send the mbox archive 
headers to anybody who is interested.  

Mail:  ted <at> ire.org
--Ted



----------------------------------------------------------------------

Comment By: Sekhar Ramakrishnan (sekhar-cu)
Date: 2004-03-19 11:12

Message:
Logged In: YES 
user_id=1001877

I don't know if this is the same bug, but a Mailman 2.1.3
members-only list that I administer had two messages that
got through, one from staff@<listdomain> and the other from
management@<listdomain>. Other messages at the same time
from official-sounding id's on our domain got held up as
being from nonmembers.

Sekhar

----------------------------------------------------------------------

Comment By: NancyS (nes49)
Date: 2004-03-11 15:01

Message:
Logged In: YES 
user_id=995718

As one of the other people reporting the problem, let me add 
a bit of info on our experience.

Mailman 2.1.1

My hypothesis now is that one of the people who could post 
without moderation released the virus. [I haven't been able to 
get definitive confirmation of that, but coupling "we were 
having some trouble" with a match on the ISP domain name 
leads me to that guess.] I haven't been able to tie the 
messages to a specific address subscribed to the list, but 
would be glad to probe further if given some direction.

We haven't seen any additional occurrences since turning on 
moderation for all users.

Between the first and second attack, I changed the 
passwords for the affected lists thinking that an Approved: 
header might have been used, but there's no evidence that 
was the case.

-Nancy
mailman <at> sgtst.com

----------------------------------------------------------------------

Comment By: Caleb Epstein (cepstein)
Date: 2004-03-11 14:36

Message:
Logged In: YES 
user_id=36183

The virus is making it through to the lists by using an 
"envelope-from" (I believe that is the right term) of a valid, 
subscribed list member, but a From: header which is some 
address that does not exist and is not a member of the list 
(usually admin@ or management@ the mailing list's domain).

See for example the message at http://bklyn.
org/~cae/mailman-stumper.txt

This message appears first in the MTA's logs as:

2004-03-11 16:31:44 1B1T5z-0009zY-00 <= 
SUBSCRIBER at DOMAIN.COM H=(srr2) [192.168.100.17] P=smtp 
S=17730 id=pbecvykwgcgqjemyxjx at Etree.org from 
<SUBSCRIBER at DOMAIN.COM> for Announce at etree.org

where SUBSCRIBER at DOMAIN.COM is a valid list subscriber with 
posting privileges.



----------------------------------------------------------------------

Comment By: NancyS (nes49)
Date: 2004-03-11 14:15

Message:
Logged In: YES 
user_id=995718

As one of the other people reporting the problem, let me add 
a bit of info on our experience.

Mailman 2.1.1

My hypothesis now is that one of the people who could post 
without moderation released the virus. [I haven't been able to 
get definitive confirmation of that, but coupling "we were 
having some trouble" with a match on the ISP domain name 
leads me to that guess.] I haven't been able to tie the 
messages to a specific address subscribed to the list, but 
would be glad to probe further if given some direction.

We haven't seen any additional occurrences since turning on 
moderation for all users.

Between the first and second attack, I changed the 
passwords for the affected lists thinking that an Approved: 
header might have been used, but there's no evidence that 
was the case.

-Nancy
mailman <at> sgtst.com

----------------------------------------------------------------------

Comment By: dk (karres)
Date: 2004-03-11 12:28

Message:
Logged In: YES 
user_id=995621

... sorry, hit the submit button too soon...

THe nom-member messages that get past the non-member filter
are being caught by the forced moderation so the messages
are not getting to the list itself.  It does make us nervous
though.

----------------------------------------------------------------------

Comment By: dk (karres)
Date: 2004-03-11 12:20

Message:
Logged In: YES 
user_id=995621

More generally we have only moderated, read-only lists for
our users.  All incoming, non-member messages should be
discarded.  We are seeing a few virus laden messages from
obvious non-members getting past the non-member filters.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=914249&group_id=103



More information about the Mailman-coders mailing list