[Mailman-Users] Is there a security hole in Mailman?

[Jon D. Slater]

Hi All,

 

I've been away from this list for a while, so the question may have already
been asked (and answered).

 

Is there a security hole in Mailman?

 

Here's what I mean.

 

I'm running several servers, all running mailman.  *None* of my lists are
displayed publicly when you view the mailman/listinfo page.

 

When-ever I use a non-mailman email address on one of my web pages, I always
'munge' it using a java script.

 

Lately I've been bombarded by 100's of spam e-mail messages, but *only to my
Mailman lists*.  My non-mailman e-mail address (which are munged with java),
are never hit.

 

How are the evil spammers harvesting my list names when they aren't on the
'listinfo' page?

 

And, more importantly, is there a way to prevent it?  (BTW, I'm also using
SPAM ASSASSIN and a lot of these SPAM messages still get through.)

 

Thanks!

 

Jon

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Jeff Donsbach]

On 2/12/06, Jon D. Slater <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> Is there a security hole in Mailman?
>
>
> How are the evil spammers harvesting my list names when they aren't on the
> 'listinfo' page?
>

>From the address book(s) of one or some of you subscribers infected
with a virus/worm?

>
> And, more importantly, is there a way to prevent it?  (BTW, I'm also using
> SPAM ASSASSIN and a lot of these SPAM messages still get through.)
>

Is your list set for "subscribers only" posting? Set your list to hold
posts from non-members for moderation.

Keep feeding the spam messages to "sa-learn".

Jeff D
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Jon D. Slater]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] 
> On Behalf Of Jeff Donsbach
> Sent: Sunday, February 12, 2006 10:10 AM
> To: mailman-users@python.org
> Subject: Re: [Mailman-Users] Is there a security hole in Mailman?
> 
> On 2/12/06, Jon D. Slater <[EMAIL PROTECTED]> wrote:
> > Hi All,
> >
> > Is there a security hole in Mailman?
> >
> >
> > How are the evil spammers harvesting my list names when they aren't 
> > on
> the
> > 'listinfo' page?
> >
> 
> >From the address book(s) of one or some of you subscribers infected
> with a virus/worm?
> 
> >
> > And, more importantly, is there a way to prevent it?  (BTW, I'm also
> using
> > SPAM ASSASSIN and a lot of these SPAM messages still get through.)
> >
> 
> Is your list set for "subscribers only" posting? Set your list to hold 
> posts from non-members for moderation.
> 
> Keep feeding the spam messages to "sa-learn".
> 
> Jeff D

I'm already doing that.  My complaint is that I have to go in and manually
reject or ignore these messages.

How are they getting my list names in the first place?

I don't believe this is an issue where an individual user may have been
compromised, because no single user accesses all the groups on all of the
servers.

Jon

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Jon D. Slater]

Some are pretty generic ("board") while others are not
("DesignReviewCommittee").

> -Original Message-
> From: Patrick Bogen [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 13, 2006 9:46 AM
> To: Jon D. Slater
> Subject: Re: [Mailman-Users] Is there a security hole in Mailman?
> 
> Do your lists have reasonably common names? "announce" "staff" that
> sort of thing?
> Spammers don't care about bounced messages, so they might just be
> randomly guessing.
> 
> On 2/13/06, Jon D. Slater <[EMAIL PROTECTED]> wrote:
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of Jeff Donsbach
> > > Sent: Sunday, February 12, 2006 10:10 AM
> > > To: mailman-users@python.org
> > > Subject: Re: [Mailman-Users] Is there a security hole in Mailman?
> > >
> > > On 2/12/06, Jon D. Slater <[EMAIL PROTECTED]> wrote:
> > > > Hi All,
> > > >
> > > > Is there a security hole in Mailman?
> > > >
> > > >
> > > > How are the evil spammers harvesting my list names when they aren't
> > > > on
> > > the
> > > > 'listinfo' page?
> > > >
> > >
> > > >From the address book(s) of one or some of you subscribers infected
> > > with a virus/worm?
> > >
> > > >
> > > > And, more importantly, is there a way to prevent it?  (BTW, I'm also
> > > using
> > > > SPAM ASSASSIN and a lot of these SPAM messages still get through.)
> > > >
> > >
> > > Is your list set for "subscribers only" posting? Set your list to hold
> > > posts from non-members for moderation.
> > >
> > > Keep feeding the spam messages to "sa-learn".
> > >
> > > Jeff D
> >
> > I'm already doing that.  My complaint is that I have to go in and
> manually
> > reject or ignore these messages.
> >
> > How are they getting my list names in the first place?
> >
> > I don't believe this is an issue where an individual user may have been
> > compromised, because no single user accesses all the groups on all of
> the
> > servers.
> >
> > Jon
> >
> > --
> > Mailman-Users mailing list
> > Mailman-Users@python.org
> > http://mail.python.org/mailman/listinfo/mailman-users
> > Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> > Searchable Archives: http://www.mail-archive.com/mailman-
> users%40python.org/
> > Unsubscribe: http://mail.python.org/mailman/options/mailman-
> users/pdbogen%40gmail.com
> >
> > Security Policy: http://www.python.org/cgi-bin/faqw-
> mm.py?req=show&file=faq01.027.htp
> >
> 
> 
> --
> - Patrick Bogen
> 
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.6/258 - Release Date: 2/13/2006


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Mark Sapiro]

Jon D. Slater wrote:
>
>How are they getting my list names in the first place?
>
>I don't believe this is an issue where an individual user may have been
>compromised, because no single user accesses all the groups on all of the
>servers.


It's likely you are correct, but you may be surprised if you could find
how many of your list members have spyware on their machines.

How do people find out about your lists? Any possibility of a leak
there?

You don't mention archives. Do your lists have public archives?

As far as your original question is concerned, I don't think we're
aware of any way for list names/posting addresses to be available via
your web server as long as your lists are not 'advertised', your
archives are private and your web server runs as a user/group that
can't directly access your Mailman installation.

-- 
Mark Sapiro <[EMAIL PROTECTED]>   The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Jim Popovitch]

Mark Sapiro wrote:
> As far as your original question is concerned, I don't think we're
> aware of any way for list names/posting addresses to be available via
> your web server as long as your lists are not 'advertised', your
> archives are private and your web server runs as a user/group that
> can't directly access your Mailman installation.

Side question:  If the webserver is running as a user/group that can't 
directly access the Mailman installation, how can Mailman web interfaces 
work?  Perhaps you mean something else by the above?

-Jim P.



--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Mark Sapiro]

Jim Popovitch wrote:
>
>Side question:  If the webserver is running as a user/group that can't 
>directly access the Mailman installation, how can Mailman web interfaces 
>work?  Perhaps you mean something else by the above?


The web interface accesses Mailman through setgid wrappers. See
.

-- 
Mark Sapiro <[EMAIL PROTECTED]>   The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Jim Popovitch]

Mark Sapiro wrote:
> Jim Popovitch wrote:
>> Side question:  If the webserver is running as a user/group that can't 
>> directly access the Mailman installation, how can Mailman web interfaces 
>> work?  Perhaps you mean something else by the above?
> 
> 
> The web interface accesses Mailman through setgid wrappers. See
> .

OK, but just to be clear, those wrappers (default location is 
/usr/local/mailman/cgi-bin) need to be accessible by the webserver.  So, 
is it safe to assume that only cgi-bin needs world read/executable 
permissions?  Can I "chmod -R o=" everything in /usr/local/mailman/ 
except cgi-bin/ and mail/?

-Jim P.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[Mark Sapiro]

Jim Popovitch wrote:
>
>OK, but just to be clear, those wrappers (default location is 
>/usr/local/mailman/cgi-bin) need to be accessible by the webserver.  So, 
>is it safe to assume that only cgi-bin needs world read/executable 
>permissions?  Can I "chmod -R o=" everything in /usr/local/mailman/ 
>except cgi-bin/ and mail/?


Not quite. The remaining issue is archives because public archives are
the only things that are not accessed through a wrapper. That's an
important access issue, i.e. forcing private archive access to be only
via the 'private' wrapper/script which forces authentication.

Because public archives are accessed directly by the web server via the
'pipermail' alias and the symlinks in archives/public, the
archives/private// directories and their subordinate archive
contents must be accessible by 'other', but the archives/private/
directory itself has permissions 02771 to prevent 'other' getting the
names of the lists by reading the directory.

-- 
Mark Sapiro <[EMAIL PROTECTED]>   The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Is there a security hole in Mailman?

[JC Dill]

Jon D. Slater wrote:
> Some are pretty generic ("board") while others are not
> ("DesignReviewCommittee").

Are your list submission addresses on the web anywhere?  Do a google 
search for [EMAIL PROTECTED] (search both "web" and "groups") and see if 
you get any matches.  If you do, then the email address is going to get 
spam because if a search engine has found a page with the email address 
on it then a spammer's email scraping web spider will have found the 
page too.

jc
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp