[Mailman-Users] Virus Just Got Through on TOTALLY MODERATED list.

[Mark Sapiro]

JC Dill wrote:
>
>Most moderators use the web to approve email from *others*, but most of 
>the ones I know who are responsible for originating content for their 
>list use the approved header when they send the content to their list so 
>that they don't have to take an additional step of going to the webpage 
>to approve the message they just sent.  My speculation is about this 
>exact scenario, a moderator who uses the approved header has old email 
>with that header in their "sent" box, and a virus/trojan grabbed one of 
>those messages and resent it (with the approved header) with the virus 
>payload attached.
>
>If it hasn't happened yet, then "yet" is the critical factor.  It's 
>going to happen someday...

I certainly agree that the above scenario is possible and that someday
it may happen, but it didn't happen in the case reported at the start
of this thread. The OP gave a link to Symantec's description of the
identified worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ba@mm.html

This worm harvests e-mail addresses from many places on a newly
infected computer, but it doesn't use found e-mail as a template for
sending itself out. It creates its own subject and body for the
outgoing mail.

Furthermore, if such a scenario has occurred or did occur in the
future, I suspect it would be just an unlucky accident. While I'm sure
that a clever worm creator could deliberately try to exploit this
potential vulnerability, I don't think the payoff would be sufficient
to justify the attack.

First of all, the attack would rely on a list administrator keeping a
copy of a sent post with the approval in it. Then this administrator
who at least statistically is likely to be much more savey about
viruses and worms than the typical user would have to receive and
execute the incoming worm on the appropriate hardware/OS platform. And
finally, the list would have to allow executable attachments and not
otherwise block the worm. Then, if all the conditions were met, the
payoff would be another hundred or thousand or so potential
recipients. It just seems to me that the expected increase in the
number of recipients due to deliberately implementing this attack
wouldn't be great enough to bother with.

That's not to say that it couldn't or wouldn't occur by accident. If
there are or will be worms that use e-mail found on a machine as a
template for sending themselves out, I'm sure that eventually this
will happen.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan