Great Circle Associates Majordomo-Users
(March 2004)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Security hole
From: John Sechrest <sechrest @ peak . org>
Date: Wed, 31 Mar 2004 07:11:10 -0800
To: mp @ gtt-technologies . de
Cc: majordomo-users @ greatcircle . com
In-reply-to: Your message of Wed, 31 Mar 2004 15:21:49 +0200. <406AE20D.12965.E90878@localhost>


If one of the members of the mailing list has a virus, and the mailing list
is configured to only allow posting from members of the list, then the virus
has full access to send mail to the list and have it be accepted and
processed. 

However, this is not a problem for majordomo. This is a problem for 
the mail systems on both the client machines and the the server that
has majordomo on it.

If the client had virus protection systems in place, they would not
get the virus. 

If the server that had majordomo on it had sendmail + milter + clamd + spamassasin
on it, then it would not transmit the virus.

To be even more filtering, you can put sendmail filters to block executables.
Or if you are list owner, you can create taboo descriptions which block
executable attachments. 

So I believe that the tools that are needed exist and that they are not
part of majordomo, but part of the underlaying mail system.





mp@gtt-technologies.de writes:

 % Hi!
 % I just subscribed to the list, so please excuse if I don't reply to the appropriate posting 
 % directly.
 % We had the same problems on Monday as described by "MajorDomo Administrator, 
 % MSER:EX". A virus infected one of our customers computers (probably) and found there 
 % the adress to directly send messages to all list subscribers.
 % Actually the problem is not so easy to solve as described by John Sechrest, because he 
 % seems to assume a person, who deliberatly forges a mail adress to directly access the 
 % list. But this is not how the viruses (especially the recent "NetSky"-family) work.
 % In our case, my collegue as the list owner sent a newsletter mail to xxx-News@xxx.de. 
 % This adress is protected by the Majordomo, so that only he as the list-owner is able to 
 % send any message. The Majordomo itself now sends the message to the automatically 
 % produced adress xxx-News-list@xxx.de (that's what already was talked about here). This 
 % one is not protected and accepts any requests to send mail to the list. But xxx-News-
 % list@xxx.de does appear in the header of each mail send to the subscribers (check the 
 % raw view of your mails, if you don't believe me). Now the NetSky virus scans all files on 
 % the infected computer for anything resembling an email adress. By this he was able to 
 % find the above mentioned unprotected mailing list adress in an archieved E-Mail. The 
 % virus doesn't think about it. It doesn't forge an adress nor does it have to. It simply tries 
 % what it finds!
 % Now John Sechrest's way to configure the list might work, if the arbitrary code addition 
 % would be unique for any mail send, and thus the list-adress would be unique. But it 
 % seems to me, that he only suggests a coded addition for a permanent adress. And this 
 % won't work with a virus raving in the guts of a computer.
 % So the virus is able to bypass the majordomo and send itself via the mailing list, or mask 
 % itself as a message from the list, so that servers, that kill the virus, notify this to the list 
 % adress, which in turn sends the notification to all subscribers. The effect is chaos (even if 
 % there are no more computers infected; I experienced that on Monday)! 
 % This is not the way it should be! Majordomo should protect all aspects regarding sending 
 % messages to the list subscribers and this means also protecting the aliases, if the list-
 % owner wishes.
 % I think, a patch is needed, which extends the responsibility of the majordomo.
 % Hit me, bite me, call me by unholy names, but THIS IS A SECURITY HOLE!
 % 
 % Best regards 
 % Matthias Paetzold 

-----
John Sechrest          .         Helping people use
                        .           computers and the Internet
                          .            more effectively
                             .                      
                                 .       Internet: sechrest@peak.org
                                      .   
                                              . http://www.peak.org/~sechrest


References:
Indexed By Date Previous: Re: Security hole
From: Webmaster <webmaster@bard.net>
Next: Re: Wholesale blacklisting by AHBL
From: "Roger B.A. Klorese" <rogerk@queernet.org>
Indexed By Thread Previous: Re: Security hole
From: Webmaster <webmaster@bard.net>
Next: turning off help replies
From: Ezra Bick <ebick@etzion.org.il>

Google
 
Search Internet Search www.greatcircle.com