[Mailman-Users] Targeted attack against german universities using mailman

Julian Kippels kippels at hhu.de
Tue May 9 10:39:41 EDT 2017 

Am Tue, 09 May 2017 14:17:01 +0200
schrieb Sebastian Hagedorn <Hagedorn at uni-koeln.de>:

> Hi,
> 
> --On 9. Mai 2017 um 14:01:56 +0200 Julian Kippels <kippels at hhu.de>
> wrote:
> 
> > there seems to be a targeted attack against public mailman lists at
> > german universities at the moment. I have heared from 3 seperate
> > unis having this problem, Regensburg, Münster and us in Düsseldorf.
> >
> > As far as I can see this attack works like this:
> > A mail with envelop-from www-data at dreadnoughtpc.com and From:-Header
> > "Jennifer Lankford" <esag-theater-owner at uni-duesseldorf.de> is
> > delivered to our list esag-theater at uni-duesseldorf.de
> > This list is configured only to accept mails from members and to
> > hold all other mails for the moderators to inspect.
> > The mail is correctly held to be moderated BUT it is also forwarded
> > to all members with From:-Header "Jennifer Lankford"
> > <real.address.of.owner at uni-duesseldorf.de>
> >
> > I can't see why or how this could work. What am I missing?
> > We are using Mailman 2.1.15  
> 
> we (Cologne University) were also affected. I think you might see two 
> different messages. As far as I can tell the only messages that got
> through to moderated lists were those where the From:-header has an
> unmoderated address for the list.
> 
> The bigger issue is that clearly the admin addresses of all lists
> were scraped from the public listinfo pages. This means that the same
> thing could happen again anytime. :-(
> 
> I have set out most critical lists to emergency moderation, but
> that's not really practical in the long run.
> 
> Sebastian

Hi,

I am pretty confident that these were not two different messages. I
have compared the mail headers of both the mail that was held and the
one that was delivered. Everything apart from the headers mailman adds
is exactly the same. Same timestamps, same message-ids, and so on...

Julian

-- 
---------------------------------------------------------
| | Julian Kippels
| | M.Sc. Informatik
| |
| | Zentrum für Informations- und Medientechnologie
| | Heinrich-Heine-Universität Düsseldorf
| | Universitätsstr. 1
| | Raum 25.41.O1.36
| | 40225 Düsseldorf / Germany
| |
| | Tel: +49-211-811-4920
| | mail: kippels at hhu.de
| | jabber: jukip100 at xmpp.hhu.de
---------------------------------------------------------

More information about the Mailman-Users mailing list