Email virii tend to read address books of email recipients, and
send themself to every address in the list. Apparently, somebody
on your list was using the listname-outgoing address to talk to
your list rather than listname, which is how the virus found the
-outgoing address to begin with. This is also what spammers have
done for a long time. This is not a majordomo issue, but does
tend to reveal itself when majordomo is used. Any alias pointing
to an :include: file on the RHS has this same weakness. You can
stop external users, spammers, and email virii from reaching the
weak alias by enabling and using the virtusertable in sendmail.
In your sendmail.mc add
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl
and rebuild your sendmail.cf with
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
(actual locations in the command above need to match your server)
Secondly, hide the -outgoing address by using something less easy
to guess, like listname-20011122 or listname-delivery. Then add
this address to your virtusertable to prevent outsiders from
writing to it, even if it is found.
In /etc/mail/virtusertable add
email@example.com error:nouser User unknown
Any time you make a change to this file, you will also need to
rebuild the binary database associated with the file.
makemap hash -o /etc/mail/virtusertable < /etc/mail/virtusertable
(solaris uses dbm rather than hash)
Thirdly, prevent sendmail from disclosing the weak alias via the
"Received:" headers of the messages. Sendmail will not expand
or disclose the LHS of an alias if the RHS is to multiple recipients.
Create (if it does not already exist) a "nobody:" alias that gets
redirected to /dev/null.
Use this nobody: alias as a second recipient on the RHS of list
aliases along with their normal deliver address. Following the
listname: "/pathto/majordomo/wrapper resend -l listname listname-20011122,nobody"
Ezra Bick wrote:
> We run about 20 majordomo lists reaching 16,000 subscribers.
> Lately there has been a virus on some users computers, which
> automatically sends itself in reply to any mail received.
> Hence, it was being sent to the list by infected subscribers.
> I changed all lists to moderated with approval required, so the virus
> messages were bounced to the moderator (and deleted).
> BUT - the virus has taken to sending itself to <list-outgoing>, which
> then resends to the whole list and effectively avoids all restrictions
> found in the list configuration file.
> This seems to be a rather large whole, which could be used by spammers as
> well as viruses. By simply adding -outgoing to the name of a list, anyone
> can send anything to any list.
> What can be done?