[Mailman-Users] Targeted attack against german universities using mailman
kippels at hhu.de
Wed May 10 07:38:06 EDT 2017
Am Tue, 9 May 2017 16:39:41 +0200
schrieb Julian Kippels <kippels at hhu.de>:
> Am Tue, 09 May 2017 14:17:01 +0200
> schrieb Sebastian Hagedorn <Hagedorn at uni-koeln.de>:
> > Hi,
> > --On 9. Mai 2017 um 14:01:56 +0200 Julian Kippels <kippels at hhu.de>
> > wrote:
> > > there seems to be a targeted attack against public mailman lists
> > > at german universities at the moment. I have heared from 3
> > > seperate unis having this problem, Regensburg, Münster and us in
> > > Düsseldorf.
> > >
> > > As far as I can see this attack works like this:
> > > A mail with envelop-from www-data at dreadnoughtpc.com and
> > > From:-Header "Jennifer Lankford"
> > > <esag-theater-owner at uni-duesseldorf.de> is delivered to our list
> > > esag-theater at uni-duesseldorf.de This list is configured only to
> > > accept mails from members and to hold all other mails for the
> > > moderators to inspect. The mail is correctly held to be moderated
> > > BUT it is also forwarded to all members with From:-Header
> > > "Jennifer Lankford" <real.address.of.owner at uni-duesseldorf.de>
> > >
> > > I can't see why or how this could work. What am I missing?
> > > We are using Mailman 2.1.15
> > we (Cologne University) were also affected. I think you might see
> > two different messages. As far as I can tell the only messages that
> > got through to moderated lists were those where the From:-header
> > has an unmoderated address for the list.
> > The bigger issue is that clearly the admin addresses of all lists
> > were scraped from the public listinfo pages. This means that the
> > same thing could happen again anytime. :-(
> > I have set out most critical lists to emergency moderation, but
> > that's not really practical in the long run.
> > Sebastian
> I am pretty confident that these were not two different messages. I
> have compared the mail headers of both the mail that was held and the
> one that was delivered. Everything apart from the headers mailman adds
> is exactly the same. Same timestamps, same message-ids, and so on...
I am sorry, I have rechecked my findings… yes, those were 2 different
mails with different headers. Sorry for the confusion.
More information about the Mailman-Users