Security Basics mailing list archives

RE: [ISN] Majordomo Could Mean Major Spam

From: "David" <David () cawdgw net>
Date: Tue, 9 Sep 2003 18:25:58 +0200

Folks, if you use this list and use a real email address (kinda impossible
not to, eh?) then you end up in Bugtraq's web page BY EMAIL ADDRESS anytime
you post. Spammers obviously spider the web site regularly. I get an average
of 80 subject related emails a day from the two lists on bugtraq I want. I
average 10-20 spams, mostly viagra, loan, pharmaceutical, and "I've go a
couple million here in Nigeria, and I need your help"s.

I don't see how they can have the archives safe from spiders unless:

Bugtraq starts saving their archives as JPGs or such.

I personally love the idea. Bugtraq will hate it because:

They don't get the spam. They would have to convert the mess to pictures.
Wasted time in their minds.

I'd LOVE it.

Moderator, whats the official stand of bugtraq?

Dave
CCNA/MCSE

-----Original Message-----
From: Jay Woody [mailto:jay_woody () tnb com]
Sent: Monday, September 08, 2003 4:57 PM
To: security-basics () securityfocus com
Subject: Fwd: [ISN] Majordomo Could Mean Major Spam


Seems like every other week, someone sends a note to a list I am on that
says, "I don't use this account for anything but lists and now it is
getting spam."  This may be why.  If you are running a list using
majordomo, here is some info you may want to be aware of.

JayW

InfoSec News <isn () c4i org> 09/08/03 12:20AM >>>

http://www.pc-radio.com/majordomo.html

By Brian McWilliams
PC-Radio.com
September 7, 2003

Getting lots of spam? Perhaps Majordomo is partly to blame.

Numerous high-profile sites running the free Majordomo mailing list
server are vulnerable to an "information leakage" attack first
reported nearly a decade ago.

The technique allows anyone to grab a list of subscriber addresses
using a little-known but documented feature in the Majordomo server
software.

A quick survey easily turned up dozens of e-mail lists ripe for
harvesting by the technique, which involves sending a standard command

to a Majordomo server via e-mail. Among the vulnerable list operators
were government, military, commercial, and educational organizations.

The Majordomo "which" command was originally designed to allow list
administrators and subscribers to see who is on a mailing list.

But the technique could also enable spammers to collect addresses that

are effectively unpublished and not previously available through
current spam extraction tools.

"This bug could be used by evil spammers to fill their databases,"
wrote security researcher Marco van Berkum in an advisory published
last February about the potential privacy problem. Barkum rated the
vulnerability "high" impact.

Over 12,000 e-mails, most of them ending in "dot-gov" amd "dot-mil"
were easily accessible by sending the "which" command in an e-mail to
a Majordomo server operated by the National Aeronautics and Space
Administration. Addresses were organized according to list topics,
such as "code-w-investigators" and "nasa-dcfos-finance." NASA
officials disabled the command after being alerted to the spam threat
this week.

Even some information technology-savvy companies were susceptible to
the collection technique. A West-coast Internet service provider's
open Majordomo server provided over 150,000 e-mails in response to the

command. A Majordomo server hosted by a large computer networking
manufacturer responded to "which" commands by returning a list of more

than 43,000 e-mail addresses of customers and other Internet users.
Neither firm acknowledged warnings about the e-mail harvesting threat.

Sun Microsystems offered up more than 6,500 e-mail addresses of
Internet users who had subscribed to discussion lists dedicated to a
variety of technology topics. After Sun was notified about the
vulnerability, the company's Majordomo server was unreachable Friday.

According to Brent Chapman, founder of Great Circle Associates, which
created Majordomo in 1992, the "which" feature was developed at a time

when programmers "were far less concerned about spammers harvesting
e-mail addresses than people are today."

By default, installations of Majordomo version 1 are configured to
accept the "which" command. An independently developed successor,
Majordomo 2, is not vulnerable to the extraction technique.

While some administrators may leave the feature enabled on purpose,
many appear unaware of the potential vulnerability in Majordomo, which

is currently in use at "several hundred thousand" sites, according to
Chapman.

At present, junk e-mailers rely primarily on mailing lists compiled by

automated tools that extract e-mail addresses from public Web pages
and Usenet discussion groups. The resulting lists are typically sorted

into broad categories, such as "AOL" or "Hotmail" or "global
Internet."

Universities typically protect their online directories from such data

collection by spammers, yet Majordomo installations at several higher
education institutions allowed open access via the "which" command. A
list of nearly 33,000 e-mail addresses was available from a large
eastern university's Majordomo server. Some 14,500 e-mail addresses
were available from an Ivy League college's server. Computing
administrators at the two institutions did not immediately respond to
warnings about the potential problems.

Chapman said he first became aware of Majordomo's potential security
flaw in 1993. In 1996 he published instructions on a mailing list for
Majordomo administrators about how to disable the feature. However,
the potential problems raised by the "which" command are not mentioned

in the documentation currently included with the software.

In 1999 a Majordomo user reported that the default installation of the

software allows list subscribers to be extracted, and noted that
"several" installations were vulnerable.

Great Circle discontinued development of Majordomo with version 1.94.5

in 2000 and no longer supports the software, although the company
continues to distribute it for free as a public service, Chapman said.


By examining e-mail message headers for the term "Majordomo," list
subscribers may be able to identify whether their discussions are
being hosted by a Majordomo server. Administrators of the server can
often be reached via the user name " Majordomo-owner@" followed by the

server's address.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Fwd: [ISN] Majordomo Could Mean Major Spam Jay Woody (Sep 08)
- Re: Fwd: [ISN] Majordomo Could Mean Major Spam Kelly Martin (Sep 08)
- RE: [ISN] Majordomo Could Mean Major Spam David (Sep 09)
  - SF archives (was: RE: Majordomo Could Mean Major Spam) Kelly Martin (Sep 09)
  - Re: [ISN] Majordomo Could Mean Major Spam Ansgar Wiechers (Sep 10)
  - Re: [ISN] Majordomo Could Mean Major Spam N407ER (Sep 12)
- <Possible follow-ups>
- RE: [ISN] Majordomo Could Mean Major Spam Brian Dunbar (Sep 09)