I'm not sure if this is really what's happening or not, but thought I would ask if anyone else is seeing this. I have a couple of lists using SmartList which are announcement-type lists. Only the moderator is allowed to post to them. Today, one of the moderators asked if his announcement was sent out twice last week. The mail logs showed two receipts from his address to the email list's address. One was from our mail system, but another was from a system I didn't recognize. Since both were from him (had his email address in the From: field), the message was sent out twice. The second one could have possibly contained a virus, since the message size was about 1700 bytes larger than the first. My questions: 1.) Is this a possible scenario with SmartList? I can't think of any reason why this wouldn't work. 2.) Is there any protection to avoid this? I can't think of any setting to make the system reject messages from the moderator which DON'T come from a particular mail system. Is there any other way? Moderator must approve his own posts? Thanks for your help with this. I scanned the threads for the last two months on this forum, but didn't see anything that I thought would pertain to this. Please forgive me if I overlooked it and you point it out to me. -Kevin Zembower ----- E. Kevin Zembower Unix Administrator Johns Hopkins University/Center for Communications Programs 111 Market Place, Suite 310 Baltimore, MD 21202 410-659-6139
On Mon, Apr 29, 2002 at 10:30:39AM -0400, KEVIN ZEMBOWER wrote:
1.) Is this a possible scenario with SmartList? I can't think of any reason why this wouldn't work.
It's entirely possible. Email addresses are trivial to spoof.
2.) Is there any protection to avoid this? I can't think of any setting to make the system reject messages from the moderator which DON'T come from a particular mail system. Is there any other way? Moderator must approve his own posts?
Or other password-protection; there have been several discussions about this on the list before. Basically, it's fairly easy to put in a filter which requires a particular header to appear in a message, and which strips out that header before the message goes to the list. Roger
Do you have something inputted into the subject line for the list ([LIST NAME]). As long as subscribers only can post, if the person receives the virus and list name does not show, they know it didn't come through the list. Also, if there is no signature file, or name signed for people that sign there name, you know it was not sent by a person. Jeff FAX 717-564-4952 Jeff Dougherty Intrepid Video & Electronics God answers 501 Luther Rd Knee-mail. Harrisburg, PA 17111 717-909-8844 VCR tips, electronics info & general interest. www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com www.9-11-2001tragedy.com ----- Original Message ----- From: "Roger Burton West" <roger@firedrake.org> To: <smartlist@Lists.RWTH-Aachen.DE> Sent: Monday, April 29, 2002 10:37 AM Subject: Re: Klez worm forging moderator's address?
On Mon, Apr 29, 2002 at 10:30:39AM -0400, KEVIN ZEMBOWER wrote:
1.) Is this a possible scenario with SmartList? I can't think of any reason why this wouldn't work.
It's entirely possible. Email addresses are trivial to spoof.
2.) Is there any protection to avoid this? I can't think of any setting to make the system reject messages from the moderator which DON'T come from a particular mail system. Is there any other way? Moderator must approve his own posts?
Or other password-protection; there have been several discussions about this on the list before. Basically, it's fairly easy to put in a filter which requires a particular header to appear in a message, and which strips out that header before the message goes to the list.
Roger _______________________________________________ Smartlist mailing list Smartlist@lists.RWTH-Aachen.DE http://MailMan.RWTH-Aachen.DE/mailman/listinfo/smartlist
Kevin asked, | I have a couple of lists using SmartList which are announcement-type | lists. Only the moderator is allowed to post to them. Today, one of the | moderators asked if his announcement was sent out twice last week. The | mail logs showed two receipts from his address to the email list's | address. One was from our mail system, but another was from a system I | didn't recognize. Since both were from him (had his email address in the | From: field), the message was sent out twice. The second one could have | possibly contained a virus, since the message size was about 1700 bytes | larger than the first. I'm a little confused about the details: this announcement list has several moderators, one of whom posted once last week, but there are two logged messages From: that moderator to the list's posting address? Likely some other list member has address book entries for both the moderator who was named in From: and the list's posting address. When Klez mails itself to someone in the infected user's address book, it takes another entry from the address book for its From: line. You can find the real sender in Return-Path:. The second worst thing you could do (the worst thing being running the attachment and infecting yourself) is to blame the person named in From:. | 2.) Is there any protection to avoid this? I can't think of any setting | to make the system reject messages from the moderator which DON'T come | from a particular mail system. Is there any other way? Moderator must | approve his own posts? Of course the moderator must approve his/her own posts, or use a secret passworded header such as Roger was describing. Otherwise, even if there were no such things as email worms, disgruntled members or other krackers could post any text at all directly to the list by forging the moderator's From: line. But it is foolhardy for a list to roll out the red carpet for every arriving message with the moderator's address in From:.
One thing which I have done that helps eliminate some problems is throw the HTML reject in there. I don't remember exactly how to do it, but the instructions are in the manual or FAQ. Then all you would get is the reject message, or it may go back to the infected person. Jeff FAX 717-564-4952 Jeff Dougherty Intrepid Video & Electronics God answers 501 Luther Rd Knee-mail. Harrisburg, PA 17111 717-909-8844 VCR tips, electronics info & general interest. www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com www.9-11-2001tragedy.com ----- Original Message ----- From: "KEVIN ZEMBOWER" <KZEMBOWER@jhuccp.org> To: <smartlist@Lists.RWTH-Aachen.DE> Sent: Monday, April 29, 2002 10:30 AM Subject: Klez worm forging moderator's address?
I'm not sure if this is really what's happening or not, but thought I would ask if anyone else is seeing this.
I have a couple of lists using SmartList which are announcement-type lists. Only the moderator is allowed to post to them. Today, one of the moderators asked if his announcement was sent out twice last week. The mail logs showed two receipts from his address to the email list's address. One was from our mail system, but another was from a system I didn't recognize. Since both were from him (had his email address in the From: field), the message was sent out twice. The second one could have possibly contained a virus, since the message size was about 1700 bytes larger than the first.
My questions: 1.) Is this a possible scenario with SmartList? I can't think of any reason why this wouldn't work.
2.) Is there any protection to avoid this? I can't think of any setting to make the system reject messages from the moderator which DON'T come from a particular mail system. Is there any other way? Moderator must approve his own posts?
Thanks for your help with this. I scanned the threads for the last two months on this forum, but didn't see anything that I thought would pertain to this. Please forgive me if I overlooked it and you point it out to me.
-Kevin Zembower
----- E. Kevin Zembower Unix Administrator Johns Hopkins University/Center for Communications Programs 111 Market Place, Suite 310 Baltimore, MD 21202 410-659-6139 _______________________________________________ Smartlist mailing list Smartlist@lists.RWTH-Aachen.DE http://MailMan.RWTH-Aachen.DE/mailman/listinfo/smartlist
participants (4)
-
David W. Tamkin -
Intrepid Video Info -
KEVIN ZEMBOWER -
Roger Burton West