Re: [Mailman-Users] Are there any known exploits in 2.1.5 re requestemail address and spamming?

Mon, 22 Sep 2008 00:43:24 -0700 

Mark Sapiro wrote:

Martin J. Evans wrote:
I've inherited a 2.1.5 mailman. In the last few days we've been blacklisted by a number of major sites. On further investigation it looks like our mailman has been compromised in some way. Emails to the request address are somehow being used to send spam. There are literally thousands of them. I've stopped the list for now. Obviously 2.1.5 is way out of date but I've looked at the changes since then and cannot see something which looks like this issue although a search for mailman request exploit brings up a number of entries which are not very detailed. Does anyone know of an exploit in 2.1.5 which allows spam to be sent via mailman in 2.1.5? 


If I understand correctly what you are saying, spam is being sent to
the list-request address with a From: header containing an innocent
3rd party address. The response from Mailman, which contains the
original message, is sent to the innocent 3rd party.
Actually that is not the case. It appears spam is sent to the request address and it ends up being sent to an innocent 3rd party without any mailman text at all. It is difficult for me to diagnose this as my mail server has been blacklisted by so many places I've had to disable mailmain completely. I saw lots of emails coming in to the request address and caught some of the identical emails stuck on my outgoing mail queue due to failure to send. What happened in between I cannot say right now. I don't really want to start mailman up again as we cannot afford to be black listed since we do most of our business online and after a weekend of not spamming people we may get off some of the black lists. 


Current Mailman through 2.1.11 will behave the same. These issues will
be addressed in 2.2.

In the mean time, the best solution is effective spam filtering ahead
of Mailman. Barring that, you can disable the -request and perhaps
other support addresses and force everyone to use the web for
subscribing, confirming, etc.



That is a reasonable alternative I'll look in to.

Thanks.

Martin
------------------------------------------------------
Mailman-Users mailing list
[email protected]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Reply via email to