On Sat, 5 Feb 2005, Mark Sapiro wrote:
Dan Mahoneywrote:
On Sat, 5 Feb 2005, Jeff Groves wrote:
I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log.
Jan 27 22:55:10 2005 (39139) post to vgc-announce from [EMAIL PROTECTED], size=39384, message-id=<[EMAIL PROTECTED]>, success
I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm.
Jeff, I had already worked out that much. And it might have trolled the list posting address from an address book or a previous email...but...
1) (This is the question I've been wanting the answer to the whole time)...Why did it not require approval? When Eric Graves (the same guy, same email address, the list owner and moderator), goes to make a post, it gets held back with a "requires approval". Up until recently, we took this as a sign that security was as it should be. Even if someone spoofed the email address, we'd have a chance to catch it.
We clearly don't know the answer to this. Assuming it is in the 'post' log and thus for sure came from the list and wasn't just spoofed to look like it came from the list, the only way I know for it to get through is if it contained an Approved: header or first line with the list password.
There was some conjecture earlier in this thread about how this might happen, but it seems highly unlikely and the characteristics of [EMAIL PROTECTED] which you identified in the OP would seem to preclude it, so I'm at a loss for an explanation.
2) Why isn't it in the vette log?
Because it wasn't held for approval.
3) If the worm spoofed all the x-mailman headers and everything, and magically managed to insert itself into the pipermail archives, why are the logs missing?
I forgot you said it was in the archive. Was there an entry in the 'post' log? Was there an entry or entries in the 'smtp' log? If these are absent, it may be a clue.
As I said before, the information we really need in order to figure this out would be the post as received by Mailman, not the one sent out, but there's no way to get this from Mailman after the fact.
*that* is a problem. I see no reason there shouldn't be an option to log this (either in the archives or a logfile, or maybe a "view original post" option in the archives, something possibly admin-only?.
-Dan
--
"You're not normal!"
-Michael G. Kessler, referring to my modem online time.
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
