Re: [Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATED list.
On Sat, 5 Feb 2005, Jeff Groves wrote: I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log. Jan 27 22:55:10 2005 (39139) post to vgc-announce from [EMAIL PROTECTED], size=39384, message-id=<[EMAIL PROTECTED]>, success I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm. Jeff, I had already worked out that much. And it might have trolled the list posting address from an address book or a previous email...but... 1) (This is the question I've been wanting the answer to the whole time)...Why did it not require approval? When Eric Graves (the same guy, same email address, the list owner and moderator), goes to make a post, it gets held back with a "requires approval". Up until recently, we took this as a sign that security was as it should be. Even if someone spoofed the email address, we'd have a chance to catch it. 2) Why isn't it in the vette log? 3) If the worm spoofed all the x-mailman headers and everything, and magically managed to insert itself into the pipermail archives, why are the logs missing? -- "Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged! I've never been so in touch with my emotions!" -AndrAIa as Hexadecimal, Reboot Episode 3.2.3 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATED list.
Mark Sapiro wrote: Brad Knowles wrote: At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote: I checked the vette log. The message isn't even in there. Some of the auto-replies to it are (i.e. "message rejected, it's a virus"). And the message shows in the pipermail archives. In that case, are you sure that the message passed through your system? Maybe the virus spoofed more than just your moderators address Here's the full headers of the thing: Return-Path: <[EMAIL PROTECTED]> Received: from prime.gushi.org (localhost [IPv6:::1]) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 for <[EMAIL PROTECTED]>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net [68.83.208.54]) by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 for <[EMAIL PROTECTED]>; Thu, 27 Jan 2005 21:15:35 -0500 (EST) I only see two Received: headers here. This is not nearly enough. There's a lot of data that appears to be missing. I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log. I agree with Mark and would go even further that it is all you need to know. The pcp08579508pcs.alxndr01.va.comcast.net address, which is indicative of a Comcast end-user in Alexandria, Virginia, is plenty to know that the user that had the address at the particular time (Thu, 27 Jan 2005 21:15:35 -0500 (EST)) was infected with some type of worm. Jeff G. -- Law of Procrastination: Procrastination avoids boredom; one never has the feeling that there is nothing important to do. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Virus Just Got Through on TOTALLYMODERATED list.
Brad Knowles wrote: >At 1:49 AM -0500 2005-02-04, Dan Mahoney, System Admin wrote: > >> I checked the vette log. The message isn't even in there. Some of the >> auto-replies to it are (i.e. "message rejected, it's a virus"). And >> the message shows in the pipermail archives. > > In that case, are you sure that the message passed through your >system? Maybe the virus spoofed more than just your moderators >address > >> Here's the full headers of the thing: >> >> Return-Path: <[EMAIL PROTECTED]> >> Received: from prime.gushi.org (localhost [IPv6:::1]) >> by prime.gushi.org (8.13.1/8.13.1) with ESMTP id j0S2GH5b080701 >> for <[EMAIL PROTECTED]>; Thu, 27 Jan 2005 22:50:56 -0500 (EST) >> Received: from ROBERTA.net (pcp08579508pcs.alxndr01.va.comcast.net >> [68.83.208.54]) >> by prime.gushi.org (8.13.1/8.13.1) with SMTP id j0S2FV8o080233 >> for <[EMAIL PROTECTED]>; >> Thu, 27 Jan 2005 21:15:35 -0500 (EST) > > I only see two Received: headers here. This is not nearly >enough. There's a lot of data that appears to be missing. I think the two Received: headers could be enough considering the worm probably has it's own SMTP engine. The way to answer this for sure is to see if it is in the 'post' log. The real problem is that other than Brad's suggestion above, these headers really don't tell us much. What we'd really like to see is the incoming message as received by Mailman. Of course, there's no way to do that. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org