[BlueOnyx:08512] Re: 5106R Majordomo vulnerability?

Michael Stauber mstauber at blueonyx.it
Mon Sep 19 11:49:21 -05 2011 

Hi Chris,

> A customer server showed up on the UCEPROTECT list overnight, and it 
> looks like Majordomo played a role.  UCEPROTECT gives a timestamp of the 
> message that causes a listing, so that makes it pretty easy to look up 
> in the logs.
> 
> A quick scan of the maillog shows the only thing going on at the time 
> was an apparent submission to a mailing list from an external email 
> address.  The really curious thing is that no mailing lists are enabled 
> for the domain!   Not only that, but there is no MX record for the 
> domain.   There are also no users.
> 
> That tells me that anything sent to the domain should immediately have 
> been rejected, right?  But instead the box accepted some piece of email 
> that bounced to a backscatter trap

Yeah, I can see how that happened, Chris.

Even if you don't have a Majordomo list set up for the site in question, 
Majordomo adds lines like you see below for every site to 
/etc/mail/virtusertable:

majordomo at www.site3.com       site3-majordomo
majordomo-owner at www.site3.com site3-majordomo-owner
owner-majordomo at www.site3.com site3-owner-majordomo

So when someone mails to these aliasses, the mail gets fed into Majordomo, 
which realizes "Hmkay, no list set up for this domain!" and which then 
generates an NDA message back to the sender.

If the sender address is spoofed, then the NDA nontheless gets sent back to 
the sender address specified in the initial email (assuming it is a working 
address).

With Mailman installed (instead of Majordomo) we don't have any entries in the 
virtusertable unless there is a real list active for the site.

BUT: If you (or someone else) would email to list at www.anysite.com, this would 
also generate an NDA, because there is no such alias or mailbox.

However, in this case the NDA would be generated at the mailserver where the 
email orginially came from, not on your box.

So yes, somehow we probably should get rid of the majordomo lines in 
/etc/mail/virtusertable if there is no mailing list set up for the site 
anyway.

Some people suggest to turn off NDA's in the MTA, which I think is a bad idea 
and violates RFC822 anyway.

Suggested fixes (several different approaches):

a) Uninstall Majordomo
b) Or convert from Majordomo to Mailman
c) Or remove Majordomo aliases from /etc/mail/virtusertable if that site 
doesn't use Majordomo

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list