Re: [ISN] Majordomo Could Mean Major Spam

From: N407ER (n407er_at_myrealbox.com)
Date: 09/12/03

  • Next message: Megan Golding: "RE: HIDS recommendations"
    Date: Fri, 12 Sep 2003 10:43:20 -0400
    To: David@cawdgw.net
    
    

    I suppose I should disclaim this by saying that I don't get spam at this
    address. I don't know if you are wrong about bugtraq, or myrealbox's
    spam filters are just really good, but I've posted to the list a couple
    of times and only gotten out-of-office replies.

    That said, I use a little spam-bot-trap on my website to protect pages
    with e-mail addresses. The logic is that you create a page linked to by,
    say, a 1px transparent gif. You then put a "deny" to this page in your
    robots.txt. Thus, humans won't click it, and only ill-behaved bots will
    go to it. You deny access to your contact page as well--so googlebot
    doesn't archive it, etc--and you block IPs that visit the other deny page.

    I use a modified version of the php bottrap from kloth.net, but you
    could easily do this with perl and your firewall ruleset, apache access
    controls, etc. Tight security isn't really necessary here, IMO, since
    the spammers are unlikely to try very hard to defeat this method; if
    they program the bots to follow robots.txt, say, then you're fine.

    Some people will redirect the bots to a script like wpoison that
    generates page after page of fake emails to "poison" the lists. My
    experience is that the bots don't fall for these; they don't reload the
    sub-pages (just the same page with a different trailing argument) like
    they are expected to. Others also argue that this generates a ton of
    traffic on the Internet to these fake addresses; my feeling is that
    since the domains are fake, the only real traffic is between the spammer
    and his ISP, and neither deserve much sympathy.

    David wrote:
    > Folks, if you use this list and use a real email address (kinda impossible
    > not to, eh?) then you end up in Bugtraq's web page BY EMAIL ADDRESS anytime
    > you post. Spammers obviously spider the web site regularly. I get an average
    > of 80 subject related emails a day from the two lists on bugtraq I want. I
    > average 10-20 spams, mostly viagra, loan, pharmaceutical, and "I've go a
    > couple million here in Nigeria, and I need your help"s.
    >
    > I don't see how they can have the archives safe from spiders unless:
    >
    > Bugtraq starts saving their archives as JPGs or such.
    >
    > I personally love the idea. Bugtraq will hate it because:
    >
    > They don't get the spam. They would have to convert the mess to pictures.
    > Wasted time in their minds.
    >
    > I'd LOVE it.
    >
    > Moderator, whats the official stand of bugtraq?
    >
    > Dave
    > CCNA/MCSE
    >
    > -----Original Message-----
    > From: Jay Woody [mailto:jay_woody@tnb.com]
    > Sent: Monday, September 08, 2003 4:57 PM
    > To: security-basics@securityfocus.com
    > Subject: Fwd: [ISN] Majordomo Could Mean Major Spam
    >
    >
    > Seems like every other week, someone sends a note to a list I am on that
    > says, "I don't use this account for anything but lists and now it is
    > getting spam." This may be why. If you are running a list using
    > majordomo, here is some info you may want to be aware of.
    >
    > JayW
    >
    >
    >>>>InfoSec News <isn@c4i.org> 09/08/03 12:20AM >>>
    >
    > http://www.pc-radio.com/majordomo.html
    >
    > By Brian McWilliams
    > PC-Radio.com
    > September 7, 2003
    >
    > Getting lots of spam? Perhaps Majordomo is partly to blame.
    >
    > Numerous high-profile sites running the free Majordomo mailing list
    > server are vulnerable to an "information leakage" attack first
    > reported nearly a decade ago.
    >
    > The technique allows anyone to grab a list of subscriber addresses
    > using a little-known but documented feature in the Majordomo server
    > software.
    >
    > A quick survey easily turned up dozens of e-mail lists ripe for
    > harvesting by the technique, which involves sending a standard command
    >
    > to a Majordomo server via e-mail. Among the vulnerable list operators
    > were government, military, commercial, and educational organizations.
    >
    > The Majordomo "which" command was originally designed to allow list
    > administrators and subscribers to see who is on a mailing list.
    >
    > But the technique could also enable spammers to collect addresses that
    >
    > are effectively unpublished and not previously available through
    > current spam extraction tools.
    >
    > "This bug could be used by evil spammers to fill their databases,"
    > wrote security researcher Marco van Berkum in an advisory published
    > last February about the potential privacy problem. Barkum rated the
    > vulnerability "high" impact.
    >
    > Over 12,000 e-mails, most of them ending in "dot-gov" amd "dot-mil"
    > were easily accessible by sending the "which" command in an e-mail to
    > a Majordomo server operated by the National Aeronautics and Space
    > Administration. Addresses were organized according to list topics,
    > such as "code-w-investigators" and "nasa-dcfos-finance." NASA
    > officials disabled the command after being alerted to the spam threat
    > this week.
    >
    > Even some information technology-savvy companies were susceptible to
    > the collection technique. A West-coast Internet service provider's
    > open Majordomo server provided over 150,000 e-mails in response to the
    >
    > command. A Majordomo server hosted by a large computer networking
    > manufacturer responded to "which" commands by returning a list of more
    >
    > than 43,000 e-mail addresses of customers and other Internet users.
    > Neither firm acknowledged warnings about the e-mail harvesting threat.
    >
    > Sun Microsystems offered up more than 6,500 e-mail addresses of
    > Internet users who had subscribed to discussion lists dedicated to a
    > variety of technology topics. After Sun was notified about the
    > vulnerability, the company's Majordomo server was unreachable Friday.
    >
    > According to Brent Chapman, founder of Great Circle Associates, which
    > created Majordomo in 1992, the "which" feature was developed at a time
    >
    > when programmers "were far less concerned about spammers harvesting
    > e-mail addresses than people are today."
    >
    > By default, installations of Majordomo version 1 are configured to
    > accept the "which" command. An independently developed successor,
    > Majordomo 2, is not vulnerable to the extraction technique.
    >
    > While some administrators may leave the feature enabled on purpose,
    > many appear unaware of the potential vulnerability in Majordomo, which
    >
    > is currently in use at "several hundred thousand" sites, according to
    > Chapman.
    >
    > At present, junk e-mailers rely primarily on mailing lists compiled by
    >
    > automated tools that extract e-mail addresses from public Web pages
    > and Usenet discussion groups. The resulting lists are typically sorted
    >
    > into broad categories, such as "AOL" or "Hotmail" or "global
    > Internet."
    >
    > Universities typically protect their online directories from such data
    >
    > collection by spammers, yet Majordomo installations at several higher
    > education institutions allowed open access via the "which" command. A
    > list of nearly 33,000 e-mail addresses was available from a large
    > eastern university's Majordomo server. Some 14,500 e-mail addresses
    > were available from an Ivy League college's server. Computing
    > administrators at the two institutions did not immediately respond to
    > warnings about the potential problems.
    >
    > Chapman said he first became aware of Majordomo's potential security
    > flaw in 1993. In 1996 he published instructions on a mailing list for
    > Majordomo administrators about how to disable the feature. However,
    > the potential problems raised by the "which" command are not mentioned
    >
    > in the documentation currently included with the software.
    >
    > In 1999 a Majordomo user reported that the default installation of the
    >
    > software allows list subscribers to be extracted, and noted that
    > "several" installations were vulnerable.
    >
    > Great Circle discontinued development of Majordomo with version 1.94.5
    >
    > in 2000 and no longer supports the software, although the company
    > continues to distribute it for free as a public service, Chapman said.
    >
    >
    > By examining e-mail message headers for the term "Majordomo," list
    > subscribers may be able to identify whether their discussions are
    > being hosted by a Majordomo server. Administrators of the server can
    > often be reached via the user name " Majordomo-owner@" followed by the
    >
    > server's address.
    >
    >
    >
    > -
    > ISN is currently hosted by Attrition.org
    >
    > To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
    > in the BODY of the mail.
    >
    >
    >
    > ---------------------------------------------------------------------------
    > Captus Networks
    > Are you prepared for the next Sobig & Blaster?
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Precisely Define and Implement Network Security
    > - Automatically Control P2P, IM and Spam Traffic
    > FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    > http://www.captusnetworks.com/ads/42.htm
    > ----------------------------------------------------------------------------
    >
    >
    >
    >
    > ---------------------------------------------------------------------------
    > Captus Networks
    > Are you prepared for the next Sobig & Blaster?
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Precisely Define and Implement Network Security
    > - Automatically Control P2P, IM and Spam Traffic
    > FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    > http://www.captusnetworks.com/ads/42.htm
    > ----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------


  • Next message: Megan Golding: "RE: HIDS recommendations"

    Relevant Pages

    • AW: [ISN] Majordomo Could Mean Major Spam
      ... I seriously doubt that spammers will really process the robots.txt. ... If you look at the web archives of securityfocus lists you will see that the ... Betreff: Re: Majordomo Could Mean Major Spam ...
      (Security-Basics)
    • Fwd: [ISN] Majordomo Could Mean Major Spam
      ... "I don't use this account for anything but lists and now it is ... Perhaps Majordomo is partly to blame. ... using a little-known but documented feature in the Majordomo server ... The Majordomo "which" command was originally designed to allow list ...
      (Security-Basics)
    • RE: [ISN] Majordomo Could Mean Major Spam
      ... of 80 subject related emails a day from the two lists on bugtraq I want. ... Perhaps Majordomo is partly to blame. ... using a little-known but documented feature in the Majordomo server ... The Majordomo "which" command was originally designed to allow list ...
      (Security-Basics)
    • Re: E-cards for You
      ... I am subscribed to several of the vger.kernel.org lists and the *same* ... spam gets dumped on each of them. ... set up majordomo and I know how the internals work and how messages get ... I know it's possible to filter the incoming messages *to* majordomo. ...
      (Linux-Kernel)
    • AW: [ISN] Majordomo Could Mean Major Spam
      ... Betreff: Fwd: Majordomo Could Mean Major Spam ... "I don't use this account for anything but lists and now it is getting ... using a little-known but documented feature in the Majordomo server ... The Majordomo "which" command was originally designed to allow list ...
      (Security-Basics)