Mika Tuupola wrote,
| Of course this worm can spread through your mailinglist
| _only_ if you allow attachments. Strip them out and the
| mailinglist is safe.
I'll agree with the first sentence but not with the second. As Tim Pierce
has explained, the worm mails itself out From: the To: address of a piece of
email lying around, so an infected list member's system can send it out as
if From: the list. Since these local mail clients repeat the From: address
as the envelope sender, it will also appear to be From_ the list.
Thus other members who receive it from the infected subscriber will believe
that the list sent it to them. Stripping attachments will prevent that from
happening in reality, but not in members' minds, so the list will still not
be safe from their blame and their panic.
Back in October my list's host moved to a new upstream provider, a new IP
address, and a new OS. For several days the list was down as we ironed out
kinks. I sent an announcement directly to list members then, all blind-
carboned with a fake To: line, from one of my other accounts. Today, with
that announcement's subject and with its goofy To: as From:, the account
from which I sent the announcement got a copy of newapt.worm.
The only clue about which member was infected and sent it was the site where
it was injected. It belongs to a retail ISP, and the list has exactly one
subscriber at an address on it. But there may have been others who have un-
subbed or changed their addresses since I sent that announcement out; there
may be others who have accounts on that ISP but don't use that address for
their subscriptions to my list.
The list may not be distributing the worm if you strip attachments, but
infected members, particularly those in individual-message mode, will send
the worm directly to other members, forging headers that make it appear to
have come from the list. I'd hardly call that "safe."
