On Thu, 3 Feb 2005, David M.Besonen wrote:
I just had a small problem. A virus was just sent to all the list members which had spoofed the moderator's email address. No "requires approval" message was sent, despite the fact that everyone (even the moderator) has the "mod" bit set to "on".
so what happened Dan? 15 people have replied to your post. i'm waiting to hear if you discovered anything. did you check the vette log?
I saw a lot of people saying "this is why I strip attachments". I saw Stephanie's (very helpful) post, but when I checked the box she referenced I found it empty, as I expected. I found that even the list owner's mod bit (who the virus spoofed) was set, and the list owner in turn scanned his own machine for virii right after this got out. Nada.
I checked the vette log. The message isn't even in there. Some of the auto-replies to it are (i.e. "message rejected, it's a virus"). And the message shows in the pipermail archives.
In the end, this group I'm working with has had a lot of unsubscribes as a result of this, and are switching to a different system that I'm not hosting, so I'm a bit apathetic about the whole deal. I'm still sure there's something I'm missing, and if someone wanted to try and give me a clue as to how this happened, I've saved that day's sendmail logs, and I've got all the following:
Here's the message in the archives:
http://lists.vagrassroots.org/pipermail/vgc-announce/2005q1/000038.html
Here's a snippet of that day's vette log:
Jan 26 21:26:54 2005 (39137) Vgc-announce post from [EMAIL PROTECTED] held, message-id=<01a901c50416$42a15c70$a3bafea9
@micronxp>: Message has implicit destination
Jan 26 21:28:58 2005 (3682) held message approved, message-id: <[EMAIL PROTECTED]>
Jan 26 21:28:58 2005 (3682) vgc-announce: Discarded posting:
From: [EMAIL PROTECTED]
Subject: Fwd: FW: Media Advisory
Reason: No reason given
Jan 27 23:12:05 2005 (39137) Vgc-announce post from [EMAIL PROTECTED] held, message-id=<05b001c504ef$a199e740$6b0
[EMAIL PROTECTED]>: Post to moderated list
Jan 27 23:25:36 2005 (39137) Vgc-announce post from [EMAIL PROTECTED] held, message-id=<010901c504ef$fe21a5c0$a3bafea9
@micronxp>: Post to moderated list
Jan 27 23:27:42 2005 (39495) held message approved, message-id: <[EMAIL PROTECTED]>
Jan 27 23:27:43 2005 (39495) vgc-announce: Refused posting:
From: [EMAIL PROTECTED]
Subject: Reply: virus in your message from: [Virginia Grassroots Coalition] Delivery by mail
Reason: No reason given
Jan 28 08:46:48 2005 (39137) Vgc-announce post from [EMAIL PROTECTED] held, message-id=<[EMAIL PROTECTED]
org>: Post by non-member to a members-only list
Jan 28 08:53:02 2005 (99241) vgc-announce: Discarded posting:
From: [EMAIL PROTECTED]
Subject: Delivery service mail
Reason: No reason given
Here's the full headers of the thing:
Return-Path: <[EMAIL PROTECTED]>
Received: from prime.gushi.org (localhost [IPv6:::1])
by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701
for <[EMAIL PROTECTED]>; Thu, 27 Jan 2005 22:50:56 -0500 (EST)
Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net
[68.83.208.54])
by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233
for <[EMAIL PROTECTED]>;
Thu, 27 Jan 2005 21:15:35 -0500 (EST)
Date: Thu, 27 Jan 2005 21:05:09 -0500
From: "Ericgraves" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
X-Security: MIME headers sanitized on prime.gushi.org
See http://www.impsec.org/email-tools/sanitizer-intro.html
for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07
X-Security: The postmaster has not enabled quarantine of poisoned messages.
Content-Type: multipart/mixed; boundary="--------qptymaiwwlishntudcfk"
Subject: [Virginia Grassroots Coalition] Delivery by mail
X-BeenThere: [EMAIL PROTECTED]
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: [EMAIL PROTECTED]
Cc: Virginia Grassroots Coalition Broadcast <[EMAIL PROTECTED]>
List-Id: Virginia Grassroots Coalition Broadcast
<vgc-announce.vagrassroots.org>
List-Unsubscribe: <http://lists.vagrassroots.org/mailman/listinfo/vgc-announce>,
<mailto:[EMAIL PROTECTED]>
List-Archive: <http://lists.vagrassroots.org/pipermail/vgc-announce>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <http://lists.vagrassroots.org/mailman/listinfo/vgc-announce>,
<mailto:[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-Envelope-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on prime.gushi.org
X-Spam-Status: No, score=2.7 required=5.0 tests=BAYES_00,HTML_50_60,
HTML_MESSAGE,HTML_SHORT_LENGTH,MSGID_SPAM_LETTERS,RCVD_IN_NJABL_DUL,
RCVD_IN_SORBS_DUL autolearn=no version=3.0.2
X-Spam-Level: **
P
ciao, david
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
--
I am now a lesbian. I don't like men, but thank you for writing.
-Reply to my response to a personal ad, May 30th, 1998.
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
