[Mailman-Users] Mail Lists, Authorized Posters and Virus/Worm Access

[Richard Barrett]

On 5 May 2004, at 09:28, Bob Bowers wrote:

> In my community last week, someone gained access to a mail list with 
> hundreds of subscribers by mimicking an email address authorized to 
> post to the list (moderation bit set OFF). In such a case, moderator 
> approval was not required. What resulted was that a worm of the 
> W32Beagle variety was sent to many hundreds of subscribers. I have 
> changed all my mail lists to require active moderation of all posts 
> (moderation bits are ON for all subscribers), and automatic rejection 
> of all posts from non-members.
>
> It appears that it was just a matter of time for someone with ill 
> intent to figure out that the "from" address in a message from a mail 
> list might represent access to the mail list for mischief. It would 
> not appear accidental that a virus or worm operating on some 
> unsuspecting individual's computer accidentally sent itself to the 
> posting address of a mail list as well as from an authorized email 
> address. It is more likely that it was deliberate.

I doubt that the virus writer was targeting mailing lists in this 
considered fashion; to them, a mail alias is just a mail alias.

I understand these virus types use the MUA address book on machines it 
infects as a source of mail address to send its progeny on to. One of 
your list's subscribers was probably the source of the infected message 
and your list's address just one of a number pillaged from that user's 
address book as destinations by a promiscuous virus.

In my view, running effective virus (and spam) filtering on your 
incoming MTA is the secret of happiness. It keeps viruses away from 
your both your lists' and your real users' mail aliases, and it means 
you do not have to moderate everything if the virus loaded messages are 
being silently dropped in the bit bucket by the MTA.