[Mailman-Users] Re: Virus Just Got Through on TOTALLY MODERATED list.
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Feb 4 07:49:07 CET 2005
On Thu, 3 Feb 2005, David M.Besonen wrote:
>> I just had a small problem. A virus was just sent to all the list members
>> which had spoofed the moderator's email address. No "requires approval"
>> message was sent, despite the fact that everyone (even the moderator) has
>> the "mod" bit set to "on".
>
> so what happened Dan? 15 people have replied to your post. i'm
> waiting to hear if you discovered anything. did you check the vette
> log?
I saw a lot of people saying "this is why I strip attachments". I saw
Stephanie's (very helpful) post, but when I checked the box she referenced
I found it empty, as I expected. I found that even the list owner's mod
bit (who the virus spoofed) was set, and the list owner in turn scanned
his own machine for virii right after this got out. Nada.
I checked the vette log. The message isn't even in there. Some of the
auto-replies to it are (i.e. "message rejected, it's a virus"). And the
message shows in the pipermail archives.
In the end, this group I'm working with has had a lot of unsubscribes as a
result of this, and are switching to a different system that I'm not
hosting, so I'm a bit apathetic about the whole deal. I'm still sure
there's something I'm missing, and if someone wanted to try and give me a
clue as to how this happened, I've saved that day's sendmail logs, and
I've got all the following:
Here's the message in the archives:
http://lists.vagrassroots.org/pipermail/vgc-announce/2005q1/000038.html
Here's a snippet of that day's vette log:
Jan 26 21:26:54 2005 (39137) Vgc-announce post from
ericgraves at earthlink.net held, message-id=<01a901c50416$42a15c70$a3bafea9
@micronxp>: Message has implicit destination
Jan 26 21:28:58 2005 (3682) held message approved, message-id:
<01a901c50416$42a15c70$a3bafea9 at micronxp>
Jan 26 21:28:58 2005 (3682) vgc-announce: Discarded posting:
From: tfinnman2 at aol.com
Subject: Fwd: FW: Media Advisory
Reason: No reason given
Jan 27 23:12:05 2005 (39137) Vgc-announce post from
chirpybird.mac at mindspring.com held, message-id=<05b001c504ef$a199e740$6b0
c45cf at molly>: Post to moderated list
Jan 27 23:25:36 2005 (39137) Vgc-announce post from
ericgraves at earthlink.net held, message-id=<010901c504ef$fe21a5c0$a3bafea9
@micronxp>: Post to moderated list
Jan 27 23:27:42 2005 (39495) held message approved, message-id:
<010901c504ef$fe21a5c0$a3bafea9 at micronxp>
Jan 27 23:27:43 2005 (39495) vgc-announce: Refused posting:
From: chirpybird.mac at mindspring.com
Subject: Reply: virus in your message from: [Virginia Grassroots
Coalition] Delivery by mail
Reason: No reason given
Jan 28 08:46:48 2005 (39137) Vgc-announce post from eric at vagrassroots.org
held, message-id=<nposdocvhojlaxmnuob at vagrassroots.
org>: Post by non-member to a members-only list
Jan 28 08:53:02 2005 (99241) vgc-announce: Discarded posting:
From: eric at vagrassroots.org
Subject: Delivery service mail
Reason: No reason given
Here's the full headers of the thing:
Return-Path: <vgc-announce-bounces+varoots=gushi.org at vagrassroots.org>
Received: from prime.gushi.org (localhost [IPv6:::1])
by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701
for <varoots at gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST)
Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net
[68.83.208.54])
by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233
for <vgc-announce at vagrassroots.org>;
Thu, 27 Jan 2005 21:15:35 -0500 (EST)
Date: Thu, 27 Jan 2005 21:05:09 -0500
From: "Ericgraves" <ericgraves at earthlink.net>
Message-ID: <qekkbjguqcsiaoconcz at vagrassroots.org>
MIME-Version: 1.0
X-Security: MIME headers sanitized on prime.gushi.org
See http://www.impsec.org/email-tools/sanitizer-intro.html
for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07
X-Security: The postmaster has not enabled quarantine of poisoned
messages.
Content-Type: multipart/mixed; boundary="--------qptymaiwwlishntudcfk"
Subject: [Virginia Grassroots Coalition] Delivery by mail
X-BeenThere: vgc-announce at vagrassroots.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eric at vagrassroots.org
Cc: Virginia Grassroots Coalition Broadcast
<vgc-announce at vagrassroots.org>
List-Id: Virginia Grassroots Coalition Broadcast
<vgc-announce.vagrassroots.org>
List-Unsubscribe:
<http://lists.vagrassroots.org/mailman/listinfo/vgc-announce>,
<mailto:vgc-announce-request at vagrassroots.org?subject=unsubscribe>
List-Archive: <http://lists.vagrassroots.org/pipermail/vgc-announce>
List-Help: <mailto:vgc-announce-request at vagrassroots.org?subject=help>
List-Subscribe:
<http://lists.vagrassroots.org/mailman/listinfo/vgc-announce>,
<mailto:vgc-announce-request at vagrassroots.org?subject=subscribe>
To: varoots at gushi.org
Sender: vgc-announce-bounces+varoots=gushi.org at vagrassroots.org
Errors-To: vgc-announce-bounces+varoots=gushi.org at vagrassroots.org
X-Envelope-To: varoots at gushi.org
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on prime.gushi.org
X-Spam-Status: No, score=2.7 required=5.0 tests=BAYES_00,HTML_50_60,
HTML_MESSAGE,HTML_SHORT_LENGTH,MSGID_SPAM_LETTERS,RCVD_IN_NJABL_DUL,
RCVD_IN_SORBS_DUL autolearn=no version=3.0.2
X-Spam-Level: **
P
>
> ciao,
> david
>
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
>
--
I am now a lesbian. I don't like men, but thank you for writing.
-Reply to my response to a personal ad, May 30th, 1998.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the Mailman-Users
mailing list