[Mailman-Users] Targeted attack against german universities using mailman

[Sebastian Hagedorn]

Hi,

--On 9. Mai 2017 um 14:01:56 +0200 Julian Kippels <kippels at hhu.de> wrote:

> there seems to be a targeted attack against public mailman lists at
> german universities at the moment. I have heared from 3 seperate unis
> having this problem, Regensburg, Münster and us in Düsseldorf.
>
> As far as I can see this attack works like this:
> A mail with envelop-from www-data at dreadnoughtpc.com and From:-Header
> "Jennifer Lankford" <esag-theater-owner at uni-duesseldorf.de> is
> delivered to our list esag-theater at uni-duesseldorf.de
> This list is configured only to accept mails from members and to hold
> all other mails for the moderators to inspect.
> The mail is correctly held to be moderated BUT it is also forwarded to
> all members with From:-Header "Jennifer Lankford"
> <real.address.of.owner at uni-duesseldorf.de>
>
> I can't see why or how this could work. What am I missing?
> We are using Mailman 2.1.15

we (Cologne University) were also affected. I think you might see two 
different messages. As far as I can tell the only messages that got through 
to moderated lists were those where the From:-header has an unmoderated 
address for the list.

The bigger issue is that clearly the admin addresses of all lists were 
scraped from the public listinfo pages. This means that the same thing 
could happen again anytime. :-(

I have set out most critical lists to emergency moderation, but that's not 
really practical in the long run.

Sebastian
-- 
    .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
                 .:.Regionales Rechenzentrum (RRZK).:.
   .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.