[Mailman-Users] Virus Just Got Through on TOTALLY MODERATED list.

[JC Dill]

Brad Knowles wrote:

> At 10:50 PM -0800 2005-01-28, JC Dill wrote:
>
>>  OK, I'm just speculating here...  what if there's a virus/trojan out 
>> that
>>  is able to take email that a user had already sent (email in the "sent"
>>  folder), and resend it with a virus payload (in this case, the 
>> beagle.ba
>>   virus above)?  If it grabbed an email that the moderator had sent 
>> to the
>>  list with the Approved: password included, and just appended the virus
>>  payload, it would result in what you saw, right?
>
>
>     One flaw in this theory -- the Approved: header gets stripped 
> before the message is posted to the list.  The only way the Approved: 
> header could get captured by the virus would be if the moderator's 
> account is the one that got infected, and the virus pulled the 
> approved message out of the "sent" mailbox of the moderator.


Didn't I say that above?

>     Even then, most moderators work via the web and not via e-mail, so 
> this would be a very low probability of success.


Most moderators use the web to approve email from *others*, but most of 
the ones I know who are responsible for originating content for their 
list use the approved header when they send the content to their list so 
that they don't have to take an additional step of going to the webpage 
to approve the message they just sent.  My speculation is about this 
exact scenario, a moderator who uses the approved header has old email 
with that header in their "sent" box, and a virus/trojan grabbed one of 
those messages and resent it (with the approved header) with the virus 
payload attached.

If it hasn't happened yet, then "yet" is the critical factor.  It's 
going to happen someday...

jc