[Mailman-Developers] Mailing lists exploited
Jonathan Knight
j.knight at keele.ac.uk
Fri May 12 08:13:50 EDT 2017
Hi
Our mailman lists were attacked this morning successfully sending spam to a
large number of our users.
The method was to use the list administrator address found on the public
facing web interface (see here
https://mail.python.org/mailman/listinfo/mailman-developers for an
example). The X at Y form doesn't pose much of a challenge.
They then crafted email addresses in the envelope sender which matched the
sending IP numbers so our SPF checks passed, but used the list
administrator address in the From: field which avoided moderation in a
number of our lists. Many of our list administrators either didn't use
moderation, or explicitly allowed their own address to post without
moderation.
I've removed the administrator address display on our lists (thus cleverly
bolting the stable door) and I'm turning on moderation for all
administrator addresses and also checking the sender filters for addresses
that bypass moderation.
So far it's just caused a bit of a flap and made list administrators wonder
if their email account was hacked.
Maybe listing administrator email addresses needs the be a thing of the
past.
--
Jonathan Knight
IT Services
Keele University
More information about the Mailman-Developers
mailing list