Virus on the list [Was: Re: Thanks :)]

[Laurence]

David Relson wrote:
>
> The mail server is running postfix, procmail, and mailman.  Either
> mailman is vulnerable to spoofed addresses or it's configured wrong.

AIUI (and I could very well be wrong!) MailMan doesn't do any other 
verification other than checking that the sender's address is in the member 
list.  Not sure what else it could do... opening an SMTP connection back to 
the domain is pointless as it almost certainly exists as it's on the member 
list.  Checking that the domain matches the server that's sending it will 
break anyone that's relaying...

> If anybody has suggestions on hardening the delivery environment to
> avoid this happening again, feel free to contact me.

I'm not running the same version of MailMan as you, but my (older) version 
has an "anonymous_list (privacy): Hide the sender of a message, replacing it 
with the list address (Removes From, Sender and Reply-To fields)" setting. 
Not sure that's particularly pleasant though.

I noticed in the past that some crafty people had worked out where MailMan 
stores the .mbox files that it generates the archives from (email addresses 
in these aren't obfuscated in any way) and were downloading these directly 
from my server - I assume to scan for valid addresses.  The .mbox files 
weren't linked to on any public pages, but the default permissions made them 
accessible.  IIRC chmoding them o-r stopped them being world accessible.

I'm running the free Linux virus checker from www.bitdefender.com on my 
server - that was what filtered this virus.  Maybe the input to the list 
could be filtered via a copy of that?

> Needless to say, I am rather embarrassed that it was _my_ address that
> was spoofed and deeply regret that this happened.

*shrug* It happens.

Laurence