[Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATEDlist.
Dan Mahoney, System Admin
danm at prime.gushi.org
Tue Feb 8 15:59:22 CET 2005
On Sat, 5 Feb 2005, Mark Sapiro wrote:
> Dan Mahoneywrote:
>
>> On Sat, 5 Feb 2005, Jeff Groves wrote:
>>
>>>> I think the two Received: headers could be enough considering the worm
>>>> probably has it's own SMTP engine. The way to answer this for sure is
>>>> to see if it is in the 'post' log.
>>
>> Jan 27 22:55:10 2005 (39139) post to vgc-announce from
>> ericgraves at earthlink.net, size=39384,
>> message-id=<qekkbjguqcsiaoconcz at vagrassroots.org>, success
>>
>>> I agree with Mark and would go even further that it is all you need to know.
>>> The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a
>>> Comcast end-user in Alexandria, Virginia, is plenty to know that the user
>>> that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500
>>> (EST)) was infected with some type of worm.
>>
>> Jeff, I had already worked out that much. And it might have trolled the
>> list posting address from an address book or a previous email...but...
>>
>> 1) (This is the question I've been wanting the answer to the whole
>> time)...Why did it not require approval? When Eric Graves (the same guy,
>> same email address, the list owner and moderator), goes to make a post, it
>> gets held back with a "requires approval". Up until recently, we took
>> this as a sign that security was as it should be. Even if someone spoofed
>> the email address, we'd have a chance to catch it.
>
> We clearly don't know the answer to this. Assuming it is in the 'post'
> log and thus for sure came from the list and wasn't just spoofed to
> look like it came from the list, the only way I know for it to get
> through is if it contained an Approved: header or first line with the
> list password.
>
> There was some conjecture earlier in this thread about how this might
> happen, but it seems highly unlikely and the characteristics of
> w32.beagle.ba at mm which you identified in the OP would seem to preclude
> it, so I'm at a loss for an explanation.
>
>> 2) Why isn't it in the vette log?
>
> Because it wasn't held for approval.
>
>> 3) If the worm spoofed all the x-mailman headers and everything, and
>> magically managed to insert itself into the pipermail archives, why are
>> the logs missing?
>
> I forgot you said it was in the archive. Was there an entry in the
> 'post' log? Was there an entry or entries in the 'smtp' log? If these
> are absent, it may be a clue.
>
> As I said before, the information we really need in order to figure
> this out would be the post as received by Mailman, not the one sent
> out, but there's no way to get this from Mailman after the fact.
*that* is a problem. I see no reason there shouldn't be an option to log
this (either in the archives or a logfile, or maybe a "view original post"
option in the archives, something possibly admin-only?.
-Dan
--
"You're not normal!"
-Michael G. Kessler, referring to my modem online time.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the Mailman-Users
mailing list