[Mailman-Users] Virus Just Got Through on TOTALLY MODERATED list.

Stephanie stephanie.elsy at gmail.com
Sat Jan 29 09:21:16 CET 2005 

On Fri, 28 Jan 2005 20:31:19 -0500 (EST), Dan Mahoney, System Admin
<danm at prime.gushi.org> wrote:
> 
> I just had a small problem.  A virus was just sent to all the list members
> which had spoofed the moderator's email address.  No "requires approval"
> message was sent, despite the fact that everyone (even the moderator) has
> the "mod" bit set to "on".
> 
> http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.html
> 
> Are there any known and open bugs in 2.1.5 that would allow this behavior?
<snip> 
> Here's the headers:
> 
> Return-Path: <vgc-announce-bounces+varoots=gushi.org at vagrassroots.org>

While that's the address shown in the From field, Beagle puts other
addresses in the Mail From and Envelope From and Mailman's default
config is to also check those fields for email addresses allowed to
post to the list unmoderated and Mailman removes those headers when
repackaging the message to send out to the list members.

I found this out when Beagle.C first appeared almost a year ago.  It
posted with a non-member address on a list that only allowed members
to post.  IE., Beagle put a non-member address in visible From field
and a member address in Mail-From field.  Mailman checked From field,
not allowed to post as non-member and it checked Mail-From field, that
was a member allowed to post unmoderated and so it accepted the
message and sent it out to the list.  The list stripped attachments so
the virus didn't go thru but I had dozens of people out of the 1,100
members asking where they needed to sign up to continue getting list
mail.

After I found out that Mailman checked more than the visible From
field, I changed the default config to only check the visible From
field so that viruses couldn't sneak thru anymore.

Since you said your list is fully moderated, you need to check to see
if *anyone* is listed in the box for "List of non-member addresses
whose postings should be automatically accepted." (even members - if a
list member is listed in that box, it will override their moderation
bit, I think) in the Sender Filters page and check that *everyone's*
mod bit is set to moderated.  Also set the default for new members to
moderated.

And if you want to, in the mm_cfg.py file, add this line:

SENDER_HEADERS = ('from')

which will force Mailman to look only at the From field.

-- 
hth,
Stephanie

Links blog: http://alice.ttlg.net/links/
Glenfinnan Web Hosting: http://www.glenfinnan.net/

More information about the Mailman-Users mailing list