[Mailman-Users] Mail Lists, Authorized Posters and Virus/Worm Access
r.barrett at openinfo.co.uk
Wed May 5 11:37:21 CEST 2004
On 5 May 2004, at 09:28, Bob Bowers wrote:
> In my community last week, someone gained access to a mail list with
> hundreds of subscribers by mimicking an email address authorized to
> post to the list (moderation bit set OFF). In such a case, moderator
> approval was not required. What resulted was that a worm of the
> W32Beagle variety was sent to many hundreds of subscribers. I have
> changed all my mail lists to require active moderation of all posts
> (moderation bits are ON for all subscribers), and automatic rejection
> of all posts from non-members.
> It appears that it was just a matter of time for someone with ill
> intent to figure out that the "from" address in a message from a mail
> list might represent access to the mail list for mischief. It would
> not appear accidental that a virus or worm operating on some
> unsuspecting individual's computer accidentally sent itself to the
> posting address of a mail list as well as from an authorized email
> address. It is more likely that it was deliberate.
I doubt that the virus writer was targeting mailing lists in this
considered fashion; to them, a mail alias is just a mail alias.
I understand these virus types use the MUA address book on machines it
infects as a source of mail address to send its progeny on to. One of
your list's subscribers was probably the source of the infected message
and your list's address just one of a number pillaged from that user's
address book as destinations by a promiscuous virus.
In my view, running effective virus (and spam) filtering on your
incoming MTA is the secret of happiness. It keeps viruses away from
your both your lists' and your real users' mail aliases, and it means
you do not have to moderate everything if the virus loaded messages are
being silently dropped in the bit bucket by the MTA.
More information about the Mailman-Users