[Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATEDlist.

Mark Sapiro msapiro at value.net
Sat Feb 5 22:15:00 CET 2005 

Dan Mahoneywrote:

>On Sat, 5 Feb 2005, Jeff Groves wrote:
>
>>> I think the two Received: headers could be enough considering the worm
>>> probably has it's own SMTP engine. The way to answer this for sure is
>>> to see if it is in the 'post' log.
>
>Jan 27 22:55:10 2005 (39139) post to vgc-announce from 
>ericgraves at earthlink.net, size=39384, 
>message-id=<qekkbjguqcsiaoconcz at vagrassroots.org>, success
>
>> I agree with Mark and would go even further that it is all you need to know. 
>> The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a 
>> Comcast end-user in Alexandria, Virginia, is plenty to know that the user 
>> that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 
>> (EST)) was infected with some type of worm.
>
>Jeff, I had already worked out that much.  And it might have trolled the 
>list posting address from an address book or a previous email...but...
>
>1) (This is the question I've been wanting the answer to the whole 
>time)...Why did it not require approval?  When Eric Graves (the same guy, 
>same email address, the list owner and moderator), goes to make a post, it 
>gets held back with a "requires approval".  Up until recently, we took 
>this as a sign that security was as it should be.  Even if someone spoofed 
>the email address, we'd have a chance to catch it.

We clearly don't know the answer to this. Assuming it is in the 'post'
log and thus for sure came from the list and wasn't just spoofed to
look like it came from the list, the only way I know for it to get
through is if it contained an Approved: header or first line with the
list password.

There was some conjecture earlier in this thread about how this might
happen, but it seems highly unlikely and the characteristics of
w32.beagle.ba at mm which you identified in the OP would seem to preclude
it, so I'm at a loss for an explanation.

>2) Why isn't it in the vette log?

Because it wasn't held for approval.

>3) If the worm spoofed all the x-mailman headers and everything, and 
>magically managed to insert itself into the pipermail archives, why are 
>the logs missing?

I forgot you said it was in the archive. Was there an entry in the
'post' log? Was there an entry or entries in the 'smtp' log? If these
are absent, it may be a clue.

As I said before, the information we really need in order to figure
this out would be the post as received by Mailman, not the one sent
out, but there's no way to get this from Mailman after the fact.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list