The same as Nancy, I am also seeing viruses (W32Beagle) on moderated Mailman lists since last Friday, March 5th. Here are the mbox headers if anybody has a clue:
> From [EMAIL PROTECTED] Wed Mar 10 01:17:14 2004 > Received: from TOSHIBA-ERIK (ool-4352a0c2.dyn.optonline.net > [67.82.160.194]) > by svr1.nicar.org (8.12.10/8.12.10) with SMTP id > i2A1HCMh013231 for <[EMAIL PROTECTED]>; Wed, 10 Mar 2004 > 01:17:13 GMT > Date: Tue, 09 Mar 2004 20:17:07 -0800 > To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="--------ymseoxktfqrivsnemwfk" > X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME,YOU_WON > autolearn=no version=2.60 > X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on > svr1.nicar.org > Subject: [AAJAOnline] Weeeeee! ;))) > X-BeenThere: [EMAIL PROTECTED] > X-Mailman-Version: 2.1.3 > Precedence: list > List-Id: AAJAOnline <aajaonline.aaja.org> > List-Unsubscribe: <http://lists.aaja.org/mailman/listinfo/aajaonline>, > <mailto:[EMAIL PROTECTED]> > List-Archive: <http://lists.aaja.org/mailman/private/aajaonline> > List-Post: <mailto:[EMAIL PROTECTED]> > List-Help: <mailto:[EMAIL PROTECTED]> > List-Subscribe: <http://lists.aaja.org/mailman/listinfo/aajaonline>, > <mailto:[EMAIL PROTECTED]> > X-List-Received-Date: Wed, 10 Mar 2004 01:17:14 -0000 Thanks. Ted Peterson IRE/NICAR Web Administrator On Fri, 05 Mar 2004 10:25:24 -0800, Nancy S wrote: Subject: Re: [mailman-users] member-only lists and non-member postings At 11:42 AM 3/5/04 -0500, Dean Karres wrote: >Two days ago we received several spam / virus loaded messages from >obviously fake non-members on a few of our mailing lists. All were >stopped and discarded -- except two. Those two messages were aimed at >out largest mailing list. In the last 48 hours, two messages with faked (nonmember) addresses and virus attachments got through to our member-only lists. Between the first and second attack, I changed the administrator and moderator passwords and I haven't shared the new passwords with anyone. One of the lists is *very* tightly controlled and none of the 3 folks who could post without moderation has reported their system being compromised. The logfiles show nothing but the messages going through as if they had been from unmoderated members of the list (but the sender in the logfile is clearly a nonmember). I don't see anything in the headers of the messages that would indicate why they bypassed the moderator. While this doesn't answer Dean's question about how to compare the configurations of two lists, my gut is telling me the lists are properly configured and something else is going on. Any clues would be appreciated. Thanks! -Nancy ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
