The following message was posted to the UNISOG list and is reposted here with the express permission of the author. The message specifically refers to majordomo lists, however, the vulnerability is not product-specific. Any list, hosted on any mailing list management product, can become a vector for the spread of an email-borne virus, if the list owner does not take appropriate precautions to prevent such incidents. One way to reduce the likelihood that your list will become a vector for the distribution of an email-borne virus is to implement confirmation on posting, i.e., require an explicit confirmation from the apparent sender of a message before that message is posted to the list. This is independent of any type of moderation that may be in effect on the list. To implement confirmation on posting on your list, simply add the "confirm" operand to the "send=" statement. Examples: * Send= Editor,Confirm * Send= Editor,Hold,Confirm * Send= Private,Confirm * Send= Public,Confirm * Send= Service,Confirm See http://www.lsoft.com/manuals/1.8d/owner/appendb.html#keySend for additional information about the "Send=" keyword statement. UNISOG list archives: http://www.theorygroup.com/Archive/Unisog/ -- Paul Russell Senior System Administrator University of Notre Dame > ---------------------------------------------------------------------- > > Subject: New variant of Hybris (?) infecting majordomo closed lists > Date: 26 Feb 2002 10:23:56 +1300 > From: Russell Fulton <[log in to unmask]> > To: [log in to unmask] > > HI All, > I don't know if this is old hat, but we have not struck this before. > Heads up just in case. > > The academic year starts next week and we are increasingly reliant on > large mailing list to communicate with students and, of course now is > the peak time for these lists to be used. Over the last few days we have > had three cases where HYBRIS managed to infect closed majordomo lists > (lists are set up so only a few addresses can post to them). > > HYBRIS infects winsock.dll and snoops network traffic, it would appear > that there is a variant that is smart enough to recognise mail from a > list and to send itself back to the list with the address of the > original sender thus avoiding the list closure. Or maybe this is normal > HYBRIS behaviour and we have just been lucky until now. > > We are now making all our closed lists moderated and are looking at > replacing majordomo with mailman as it appears to offer better control. > > -- > Russell Fulton, Computer and Network Security Officer > The University of Auckland, New Zealand > > ----------------------------------------------------------------------