LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Use confirmation on posting to prevent list from becoming a vector for infection

Paul Russell <[log in to unmask]>

Mon, 4 Mar 2002 17:27:43 -0500

text/plain (65 lines)

The following message was posted to the UNISOG list and is reposted here
with the express permission of the author. The message specifically refers
to majordomo lists, however, the vulnerability is not product-specific. Any
list, hosted on any mailing list management product, can become a vector for
the spread of an email-borne virus, if the list owner does not take
appropriate precautions to prevent such incidents.

One way to reduce the likelihood that your list will become a vector for
the distribution of an email-borne virus is to implement confirmation on
posting, i.e., require an explicit confirmation from the apparent sender of
a message before that message is posted to the list. This is independent of
any type of moderation that may be in effect on the list.

To implement confirmation on posting on your list, simply add the "confirm"
operand to the "send=" statement.

Examples:
        * Send= Editor,Confirm
        * Send= Editor,Hold,Confirm
        * Send= Private,Confirm
        * Send= Public,Confirm
        * Send= Service,Confirm

See http://www.lsoft.com/manuals/1.8d/owner/appendb.html#keySend for
additional information about the "Send=" keyword statement.

UNISOG list archives: http://www.theorygroup.com/Archive/Unisog/

--
Paul Russell
Senior System Administrator
University of Notre Dame

> ----------------------------------------------------------------------
>
> Subject: New variant of Hybris (?) infecting majordomo closed lists
> Date: 26 Feb 2002 10:23:56 +1300
> From: Russell Fulton <[log in to unmask]>
> To: [log in to unmask]
>
> HI All,
>         I don't know if this is old hat, but we have not struck this before.
> Heads up just in case.
>
> The academic year starts next week and we are increasingly reliant on
> large mailing list to communicate with students and, of course now is
> the peak time for these lists to be used. Over the last few days we have
> had three cases where HYBRIS managed to infect closed majordomo lists
> (lists are set up so only a few addresses can post to them).
>
> HYBRIS infects winsock.dll and snoops network traffic, it would appear
> that there is a variant that is smart enough to recognise mail from a
> list and to send itself back to the list with the address of the
> original sender thus avoiding the list closure. Or maybe this is normal
> HYBRIS behaviour and we have just been lucky until now.
>
> We are now making all our closed lists moderated and are looking at
> replacing majordomo with mailman as it appears to offer better control.
>
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
>
> ----------------------------------------------------------------------

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM