[linux-elitists] Notify about using the e-mail account.

Don Marti dmarti@zgp.org
Wed Mar 3 08:53:46 PST 2004


begin Modus Operandi quotation of Wed, Mar 03, 2004 at 01:04:08PM -0500:
> In the immortal words of J C Lawrence <claw@kanga.nu>:
> > On Wed, 3 Mar 2004 06:56:33 -0800 
> > Don Marti <dmarti@zgp.org> wrote:
> > 
> > > Not to my knowledge.  I'm looking through headers and the Mailman
> > > config right now.  Anyone else have any ideas here?
> > 
> > Forged SMTP envelope.

...

>   Don, did you find any new evidence in your logs?

It does appear to be a forged SMTP envelope -- from
one address on this list I know is SPF-protected.
Must start checking SPF, not just publishing it.

What I'm wondering is why Mailman didn't block based
on the forged From: address.  There must be something
messed up in my Mailman configuration.

(I'm not at all surprised about the success of
lame-ass social engineering, though.  Some of the
instructions I've seen for manually propagating worms
are much less counterintuitive than documentation
for legit IT activities.)

                                                                                
mail.log:Mar  2 20:28:17 capsicum postfix/smtpd[17104]: 5F23A3FC31: client=user-0cev0i2.cable.mindspring.com[24.239.130.66]
mail.log:Mar  2 20:28:17 capsicum postfix/cleanup[17105]: 5F23A3FC31: message-id=<xigfxhghotnetqpejqy@zgp.org>
mail.log:Mar  2 20:28:18 capsicum postfix/qmgr[374]: 5F23A3FC31: from=<rick@linuxmafia.com>, size=18187, nrcpt=1 (queue active)
mail.log:Mar  2 20:28:18 capsicum postfix/local[17106]: 5F23A3FC31: to=<linux-elitists@zgp.org>, relay=local, delay=1, status=sent ("|/var/lib/mailman/mail/mailman post linux-elitists")

mail.info:Mar  2 20:28:17 capsicum postfix/smtpd[17104]: 5F23A3FC31: client=user-0cev0i2.cable.mindspring.com[24.239.130.66]
mail.info:Mar  2 20:28:17 capsicum postfix/cleanup[17105]: 5F23A3FC31: message-id=<xigfxhghotnetqpejqy@zgp.org>
mail.info:Mar  2 20:28:18 capsicum postfix/qmgr[374]: 5F23A3FC31: from=<rick@linuxmafia.com>, size=18187, nrcpt=1 (queue active)
mail.info:Mar  2 20:28:18 capsicum postfix/local[17106]: 5F23A3FC31: to=<linux-elitists@zgp.org>, relay=local, delay=1, status=sent ("|/var/lib/mailman/mail/mailman post linux-elitists")

-- 
Don Marti                       Plain text email only, please.
Editor in Chief                 dmarti@linuxjournal.com
Linux Journal                   510-814-0932
http://linuxjournal.com/        Linux Journal editorial office: 206-782-9011



More information about the linux-elitists mailing list