[Mailman-Users] **Nevermind*** Security Breach by spammer on one of my lists?

[Brendan Chard]

Turns out that this was a completely valid message.  I recently took over
this list from a host that was using Lyris.  This user was receiving lyris
messages in "Index Digest" format and he was attempting to retreive the full
messages from a previous lyris index by using the "Get" command but
accidentally sent the command to the new mailman list.

Live and learn,

-Brendan

-----Original Message-----
From: mailman-users-bounces at python.org
[mailto:mailman-users-bounces at python.org] On Behalf Of Brendan Chard
Sent: Wednesday, June 16, 2004 9:10 AM
To: mailman-users at python.org
Subject: [Mailman-Users] Security Breach by spammer on one of my lists?

A message went to one of my lists last night that looked very peculiar, like
a spammer.  I'm hoping to get some input to see if it's something I should
be worried about or just a fluke.

I'm running Mailman 2.1.4 on FreeBSD with MailScanner and ClamAV

I have an unmoderated closed list with the membership list viewable by admin
only that is called "probate"

The possible offending message was from a hotmail account that is
legitimately subscribed to the list and all server logs regarding that
message appear to be legit:

The mailman post log says: (I have replaced the user with "USERNAME")

Jun 15 22:13:03 2004 (70197) post to probate from USERNAME at hotmail.com,
size=1846, message-id=<BAY22-F37cf3ednHM3S000529a4 at hotmail.com>, success

The sendmail (maillog) file says: (I have replaced the user with "USERNAME")

Jun 15 22:10:11 server2 sm-mta-in[5288]: i5G2AAhS005288:
from=<USERNAME at hotmail.com>, size=842, class=0, nrcpts=1,
msgid=<BAY22-F37cf3ednHM3S000529a4 at hotmail.com>, proto=ESMTP, daemon=MTA,
relay=bay22-f37.bay22.hotmail.com [64.4.16.87]
Jun 15 22:10:11 server2 MailScanner[72190]: New Batch: Scanning 1 messages,
1390 bytes
Jun 15 22:10:11 server2 MailScanner[72190]: Spam Checks: Starting
Jun 15 22:10:11 server2 MailScanner[72190]: Virus and Content Scanning:
Starting
Jun 15 22:10:12 server2 MailScanner[72190]: Uninfected: Delivered 1 messages
Jun 15 22:10:12 server2 MailScanner[72190]: MailScanner child dying of old
age
Jun 15 22:10:13 server2 MailScanner[5459]: MailScanner E-Mail Virus Scanner
version 4.30.3 starting...
Jun 15 22:10:13 server2 sendmail[5460]: i5G2AAhS005288:
to="|/usr/local/mailman/mail/mailman post probate"..........

The message body itself was empty, but because hotmail advertises on their
outbound messages, it looks like an advertisement.

The subject line however is what concerns me... it says:

"get probate 123423 123355 123372 123389 123405"

I don't think it's from an actual human since it seems like a ridiculous
subject line.

I've moderated the users account until I get it figured out, but any input
as to what this actually is would be appreciated.


Thanks
-Brendan


------------------------------------------------------
Mailman-Users mailing list
Mailman-Users at python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/