[Mailman-Users] Virus Just Got Through on TOTALLY MODERATED list.

[JC Dill]

Brad Knowles wrote:

> At 8:50 AM -0800 2005-01-29, JC Dill wrote:
>
>>  Didn't I say that above?
>
>
>     Not that I saw, no.  What I read of your message indicated that 
> the virus had infected a normal user and pulled a message out of their 
> sent folder, which would not have had the Approved: header.


In my first post in this thread I wrote:

>  "what if there's a virus/trojan out that is able to take email that a 
> user had already sent (email in the "sent" folder), and resend it with 
> a virus payload (in this case, the beagle.ba  virus above)?  If it 
> grabbed an email that the moderator had sent to the list with the 
> Approved: password included, and just appended the virus payload, it 
> would result in what you saw, right?"


>     Most moderators I know of don't need to use the Approved: header, 
> because they themselves are not moderated on their own lists.  But 
> then maybe you know more moderators than I do.


The ones I know that do this elect to use this method to prevent forged 
posts "from" them to their one-way (newsletter) lists.  If all posts 
must be approved one way or another, then random forged posts (using 
addresses found on a victim's computer) won't get distributed to the 
list.  But if a virus/trojan goes a step further and instead of just 
using address found it uses actual previously sent email, and there is 
saved email with the Approved: header, then that virus/trojan would be 
able to forge a post to the list that would have the Approved: header, 
and thus be distributed to the list.

jc