Virus posts to moderated lists

More generally we have only moderated, read-only lists for
our users. All incoming, non-member messages should be
discarded. We are seeing a few virus laden messages from
obvious non-members getting past the non-member filters.

... sorry, hit the submit button too soon...

THe nom-member messages that get past the non-member filter
are being caught by the forced moderation so the messages
are not getting to the list itself. It does make us nervous
though.

As one of the other people reporting the problem, let me add
a bit of info on our experience.

Mailman 2.1.1

My hypothesis now is that one of the people who could post
without moderation released the virus. [I haven't been able to
get definitive confirmation of that, but coupling "we were
having some trouble" with a match on the ISP domain name
leads me to that guess.] I haven't been able to tie the
messages to a specific address subscribed to the list, but
would be glad to probe further if given some direction.

We haven't seen any additional occurrences since turning on
moderation for all users.

Between the first and second attack, I changed the
passwords for the affected lists thinking that an Approved:
header might have been used, but there's no evidence that
was the case.

-Nancy
mailman <at> sgtst.com

The virus is making it through to the lists by using an
"envelope-from" (I believe that is the right term) of a valid,
subscribed list member, but a From: header which is some
address that does not exist and is not a member of the list
(usually admin@ or management@ the mailing list's domain).

See for example the message at http://bklyn.
org/~cae/mailman-stumper.txt

This message appears first in the MTA's logs as:

2004-03-11 16:31:44 1B1T5z-0009zY-00 <=
<email address hidden> H=(srr2) [192.168.100.17] P=smtp
S=17730 <email address hidden> from
<email address hidden> for <email address hidden>

where <email address hidden> is a valid list subscriber with
posting privileges.

As one of the other people reporting the problem, let me add
a bit of info on our experience.

Mailman 2.1.1

My hypothesis now is that one of the people who could post
without moderation released the virus. [I haven't been able to
get definitive confirmation of that, but coupling "we were
having some trouble" with a match on the ISP domain name
leads me to that guess.] I haven't been able to tie the
messages to a specific address subscribed to the list, but
would be glad to probe further if given some direction.

We haven't seen any additional occurrences since turning on
moderation for all users.

Between the first and second attack, I changed the
passwords for the affected lists thinking that an Approved:
header might have been used, but there's no evidence that
was the case.

-Nancy
mailman <at> sgtst.com

I don't know if this is the same bug, but a Mailman 2.1.3
members-only list that I administer had two messages that
got through, one from staff@<listdomain> and the other from
management@<listdomain>. Other messages at the same time
from official-sounding id's on our domain got held up as
being from nonmembers.

Sekhar

As a team owner I had received lot's of messages to be moderated.

The launchpad shows as if the message's author was our own team.
At the moderation page the messages seem's to come from other authors (ex.: "Approved VIAGRA** Store").

I think it would be good to have a filter for spam messages as it would save a lot of time at moderate tasks .