[Mailman-Users] Are there any known exploits in 2.1.5 re requestemail address and spamming?

Martin Evans martin.evans at easysoft.com
Mon Sep 22 09:43:37 CEST 2008 

Mark Sapiro wrote:
> Martin J. Evans wrote:
> 
>> I've inherited a 2.1.5 mailman. In the last few days we've been 
>> blacklisted by a  number of major sites. On further investigation it 
>> looks like our mailman has been compromised in some way. Emails to the 
>> request address are somehow being used to send spam. There are literally 
>> thousands of them. I've stopped the list for now. Obviously 2.1.5 is way 
>> out of date but I've looked at the changes since then and cannot see 
>> something which looks like this issue although a search for mailman 
>> request exploit brings up a number of entries which are not very 
>> detailed. Does anyone know of an exploit in 2.1.5 which allows spam to 
>> be sent via mailman in 2.1.5?
> 
> 
> If I understand correctly what you are saying, spam is being sent to
> the list-request address with a From: header containing an innocent
> 3rd party address. The response from Mailman, which contains the
> original message, is sent to the innocent 3rd party.

Actually that is not the case. It appears spam is sent to the request 
address and it ends up being sent to an innocent 3rd party without any 
mailman text at all. It is difficult for me to diagnose this as my mail 
server has been blacklisted by so many places I've had to disable 
mailmain completely. I saw lots of emails coming in to the request 
address and caught some of the identical emails stuck on my outgoing 
mail queue due to failure to send. What happened in between I cannot say 
right now. I don't really want to start mailman up again as we cannot 
afford to be black listed since we do most of our business online and 
after a weekend of not spamming people we may get off some of the black 
lists.

> Current Mailman through 2.1.11 will behave the same. These issues will
> be addressed in 2.2.
> 
> In the mean time, the best solution is effective spam filtering ahead
> of Mailman. Barring that, you can disable the -request and perhaps
> other support addresses and force everyone to use the web for
> subscribing, confirming, etc.
> 

That is a reasonable alternative I'll look in to.

Thanks.

Martin

More information about the Mailman-Users mailing list