[Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATED list.

Mark Sapiro msapiro at value.net
Sat Feb 5 19:57:26 CET 2005

Brad Knowles wrote:

>At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote:
>>  I checked the vette log.  The message isn't even in there.  Some of the
>>  auto-replies to it are (i.e. "message rejected, it's a virus").  And
>>  the message shows in the pipermail archives.
>	In that case, are you sure that the message passed through your 
>system?  Maybe the virus spoofed more than just your moderators 
>>  Here's the full headers of the thing:
>>  Return-Path: <vgc-announce-bounces+varoots=gushi.org at vagrassroots.org>
>>  Received: from prime.gushi.org (localhost [IPv6:::1])
>>      by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701
>>      for <varoots at gushi.org>; Thu, 27 Jan 2005 22:50:56 -0500 (EST)
>>  Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net
>>      [])
>>      by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233
>>      for <vgc-announce at vagrassroots.org>;
>>      Thu, 27 Jan 2005 21:15:35 -0500 (EST)
>	I only see two Received: headers here.  This is not nearly 
>enough.  There's a lot of data that appears to be missing.

I think the two Received: headers could be enough considering the worm
probably has it's own SMTP engine. The way to answer this for sure is
to see if it is in the 'post' log.

The real problem is that other than Brad's suggestion above, these
headers really don't tell us much. What we'd really like to see is the
incoming message as received by Mailman. Of course, there's no way to
do that.

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list