[mailman-users] member-only lists and non-member postings

Ted Peterson ted at nicar.org
Wed Mar 10 18:41:00 CET 2004 

The same as Nancy, I am also seeing viruses (W32Beagle) on moderated
Mailman lists since last Friday, March 5th.  Here are the mbox
headers if anybody has a clue:

> From aajaonline-admin at svr1.nicar.org Wed Mar 10 01:17:14 2004
> Received: from TOSHIBA-ERIK (ool-4352a0c2.dyn.optonline.net
> [67.82.160.194])
>         by svr1.nicar.org (8.12.10/8.12.10) with SMTP id
>         i2A1HCMh013231 for <aajaonline at aaja.org>; Wed, 10 Mar 2004
>         01:17:13 GMT
> Date: Tue, 09 Mar 2004 20:17:07 -0800
> To: aajaonline at aaja.org
> From: National at aaja.org
> Message-ID: <qwounnxrcclimtadjqw at aaja.org>
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="--------ymseoxktfqrivsnemwfk"
> X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME,YOU_WON 
>         autolearn=no version=2.60
> X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
>         svr1.nicar.org
> Subject: [AAJAOnline] Weeeeee! ;)))
> X-BeenThere: aajaonline at aaja.org
> X-Mailman-Version: 2.1.3
> Precedence: list
> List-Id: AAJAOnline <aajaonline.aaja.org>
> List-Unsubscribe: <http://lists.aaja.org/mailman/listinfo/aajaonline>,
>         <mailto:aajaonline-request at aaja.org?subject=unsubscribe>
> List-Archive: <http://lists.aaja.org/mailman/private/aajaonline>
> List-Post: <mailto:aajaonline at aaja.org>
> List-Help: <mailto:aajaonline-request at aaja.org?subject=help>
> List-Subscribe: <http://lists.aaja.org/mailman/listinfo/aajaonline>,
>         <mailto:aajaonline-request at aaja.org?subject=subscribe>
> X-List-Received-Date: Wed, 10 Mar 2004 01:17:14 -0000

Thanks.
Ted Peterson
IRE/NICAR Web Administrator

On Fri, 05 Mar 2004 10:25:24 -0800, Nancy S wrote:
Subject: Re: [mailman-users] member-only lists and non-member
postings 

At 11:42 AM 3/5/04 -0500,  Dean Karres wrote:
>Two days ago we received several spam / virus loaded messages from
>obviously fake non-members on a few of our mailing lists.  All were
>stopped and discarded -- except two.  Those two messages were aimed 
at
>out largest mailing list.

In the last 48 hours, two messages with faked (nonmember) addresses 
and virus 
attachments got through to our member-only lists. Between the first 
and second attack, 
I changed the administrator and moderator passwords and I haven't 
shared the new 
passwords with anyone. One of the lists is *very* tightly controlled 
and none of the 3 
folks who could post without moderation has reported their system 
being compromised. 
The logfiles show nothing but the messages going through as if they 
had been from 
unmoderated members of the list (but the sender in the logfile is 
clearly a 
nonmember). I don't see anything in the headers of the messages that 
would indicate 
why they bypassed the moderator.

While this doesn't answer Dean's question about how to compare the 
configurations of 
two lists, my gut is telling me the lists are properly configured and 
something else 
is going on. Any clues would be appreciated.

Thanks!

-Nancy

More information about the Mailman-Users mailing list