We used this to fix the 'which @' bug...it's worked for us.
Majordomo Mailing List Address Exposure
Majordomo (all versions)
Under the default configuration of Majordomo, a remote attacker can
extract all the addresses on Majordomo mailing lists by sending a
simple query to the daemon. Spammers can use this method to obtain
large email address lists associated with specific interest groups.
Risk: Remote attackers can extract mailing lists from Majordomo servers.
Majordomo is a popular open source mailing list manager for Unix that
has been widely used since its introduction in 1992. The vulnerability
is present in Majordomo's default configuration.
Ease of Exploitation: Trivial.
An attacker only needs to send the command "which" with an argument
"@" to a listening daemon (via email) and the daemon will return all
subscribed email addresses containing an "@" character (matches all
addresses). The attacker does not need to be a list member to execute
Status: Vendor confirmed. The simplest solution is to change the
configuration settings. A patch for Majordomo 1.94.5 is included in
the advisory. The vendor has also released a new version of Majordomo 2
(alpha) that protects the mailing list information by default.
Advisory by Marco van Berkum:
Vendor Web Site:
Tutorial on Sending Commands to Majordomo:
Original 1992 Usenix paper by D. Brent Chapman on Majordomo:
Council Site Actions:
The affected software is in use at two of the council sites.
The first site has already changed its majordomo configuration.
The second site has a small number of machines running the software,
all of which are supported by individual departments. They feel the
risk is low enough to not warrant action at this time. They believe
individual departments will update the software on their own.
----- End forwarded message -----
George Booth G.Booth@usm.edu
Systems Analyst II email@example.com
Majordomo Admin firstname.lastname@example.org
Office of Technology Resources http://ocean.st.usm.edu/~ghbooth
University of Southern Mississippi
ex phantasma veritas...
in illusion, truth...