[Mailman-Users] Mail Lists, Authorized Posters and Virus/Worm Access

Lloyd Tennison lloyd_tennison at whoever.com
Wed May 5 11:46:40 CEST 2004 

Set the mm_cfg.py and see Default.py for this info:


# The envelope sender is set by the SMTP delivery and is thus less easily
# spoofed than the sender, which is typically just taken from the From: header
# and thus easily spoofed by the end-user.  However, sometimes the envelope
# sender isn't set correctly and this will manifest itself by postings being
# held for approval even if they appear to come from a list member.  If you
# are having this problem, set this variable to No, but understand that some
# spoofed messages may get through.
USE_ENVELOPE_SENDER = No         MAKE YES!


This will help block some of your problem - unauthorized posts.  The virus checker still goes.




----- Original Message ---------------
>Return-path: <mailman-users-bounces at python.org>
>Received: from mail.python.org (mail.python.org [12.155.117.29])
>	by spf6.us4.outblaze.com (Postfix) with ESMTP id 3D823539AA
>	for <lloyd_tennison at whoever.com>; Wed,  5 May 2004 09:31:55 +0000 (GMT)
>Received: from localhost.localdomain ([127.0.0.1] helo=mail.python.org)
>	by mail.python.org with esmtp (Exim 4.22)
>	id 1BLIqm-0005AH-BH; Wed, 05 May 2004 05:38:00 -0400
>Received: from ext-proxy-1.ftel.co.uk ([192.65.220.99])
>	by mail.python.org with esmtp (Exim 4.22) id 1BLIqc-00054C-Ex
>	for mailman-users at python.org; Wed, 05 May 2004 05:37:50 -0400
>Received: from utility-2.ftel.co.uk (utility-2.ftel.co.uk [193.112.172.11])
>	by ext-proxy-1.ftel.co.uk
>	(8.12.10/8.12.9/Revision:1.91/relay-in/ssl/db) with ESMTP id
>	i459baXi019160; Wed, 5 May 2004 10:37:40 +0100
>Received: from [172.16.3.104] (barrett-mac.ftel.co.uk [172.16.3.104])
>	by utility-2.ftel.co.uk (8.12.9+Sun/8.12.9/Revision:1.90/db) with ESMTP
>	id i459bQEp012506; Wed, 5 May 2004 10:37:29 +0100 (BST)
>In-Reply-To: <6.0.0.22.2.20040505011923.01f2d828 at pop.west.cox.net>
>References: <6.0.0.22.2.20040505011923.01f2d828 at pop.west.cox.net>
>Mime-Version: 1.0 (Apple Message framework v613)
>Content-Type: text/plain; charset=US-ASCII; format=flowed
>Message-Id: <CE96CC72-9E77-11D8-92AB-000A957C9A50 at openinfo.co.uk>
>Content-Transfer-Encoding: 7bit
>From: Richard Barrett <r.barrett at openinfo.co.uk>
>Subject: Re: [Mailman-Users]  Mail Lists,
>	Authorized Posters and Virus/Worm Access
>Date: Wed, 5 May 2004 10:37:21 +0100
>To: Bob Bowers <b-bowers at cox.net>
>X-Mailer: Apple Mail (2.613)
>X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
>X-Spam-Status: OK (lists-mailman 0.000)
>Cc: mailman-users at python.org
>X-BeenThere: mailman-users at python.org
>X-Mailman-Version: 2.1.5c2
>Precedence: list
>List-Id: Mailman mailing list management users <mailman-users.python.org>
>List-Unsubscribe: <http://mail.python.org/mailman/listinfo/mailman-users>,
>	<mailto:mailman-users-request at python.org?subject=unsubscribe>
>List-Archive: <http://mail.python.org/pipermail/mailman-users>
>List-Post: <mailto:mailman-users at python.org>
>List-Help: <mailto:mailman-users-request at python.org?subject=help>
>List-Subscribe: <http://mail.python.org/mailman/listinfo/mailman-users>,
>	<mailto:mailman-users-request at python.org?subject=subscribe>
>Sender: mailman-users-bounces at python.org
>Errors-To: mailman-users-bounces at python.org
>
>On 5 May 2004, at 09:28, Bob Bowers wrote:
>
>> In my community last week, someone gained access to a mail list with 
>> hundreds of subscribers by mimicking an email address authorized to 
>> post to the list (moderation bit set OFF). In such a case, moderator 
>> approval was not required. What resulted was that a worm of the 
>> W32Beagle variety was sent to many hundreds of subscribers. I have 
>> changed all my mail lists to require active moderation of all posts 
>> (moderation bits are ON for all subscribers), and automatic rejection 
>> of all posts from non-members.
>>
>> It appears that it was just a matter of time for someone with ill 
>> intent to figure out that the "from" address in a message from a mail 
>> list might represent access to the mail list for mischief. It would 
>> not appear accidental that a virus or worm operating on some 
>> unsuspecting individual's computer accidentally sent itself to the 
>> posting address of a mail list as well as from an authorized email 
>> address. It is more likely that it was deliberate.
>
>I doubt that the virus writer was targeting mailing lists in this 
>considered fashion; to them, a mail alias is just a mail alias.
>
>I understand these virus types use the MUA address book on machines it 
>infects as a source of mail address to send its progeny on to. One of 
>your list's subscribers was probably the source of the infected message 
>and your list's address just one of a number pillaged from that user's 
>address book as destinations by a promiscuous virus.
>
>In my view, running effective virus (and spam) filtering on your 
>incoming MTA is the secret of happiness. It keeps viruses away from 
>your both your lists' and your real users' mail aliases, and it means 
>you do not have to moderate everything if the virus loaded messages are 
>being silently dropped in the bit bucket by the MTA.
>
>
>------------------------------------------------------
>Mailman-Users mailing list
>Mailman-Users at python.org
>http://mail.python.org/mailman/listinfo/mailman-users
>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
>

More information about the Mailman-Users mailing list