[BlueOnyx:08512] Re: 5106R Majordomo vulnerability?
mstauber at blueonyx.it
Mon Sep 19 11:49:21 PET 2011
> A customer server showed up on the UCEPROTECT list overnight, and it
> looks like Majordomo played a role. UCEPROTECT gives a timestamp of the
> message that causes a listing, so that makes it pretty easy to look up
> in the logs.
> A quick scan of the maillog shows the only thing going on at the time
> was an apparent submission to a mailing list from an external email
> address. The really curious thing is that no mailing lists are enabled
> for the domain! Not only that, but there is no MX record for the
> domain. There are also no users.
> That tells me that anything sent to the domain should immediately have
> been rejected, right? But instead the box accepted some piece of email
> that bounced to a backscatter trap
Yeah, I can see how that happened, Chris.
Even if you don't have a Majordomo list set up for the site in question,
Majordomo adds lines like you see below for every site to
majordomo at www.site3.com site3-majordomo
majordomo-owner at www.site3.com site3-majordomo-owner
owner-majordomo at www.site3.com site3-owner-majordomo
So when someone mails to these aliasses, the mail gets fed into Majordomo,
which realizes "Hmkay, no list set up for this domain!" and which then
generates an NDA message back to the sender.
If the sender address is spoofed, then the NDA nontheless gets sent back to
the sender address specified in the initial email (assuming it is a working
With Mailman installed (instead of Majordomo) we don't have any entries in the
virtusertable unless there is a real list active for the site.
BUT: If you (or someone else) would email to list at www.anysite.com, this would
also generate an NDA, because there is no such alias or mailbox.
However, in this case the NDA would be generated at the mailserver where the
email orginially came from, not on your box.
So yes, somehow we probably should get rid of the majordomo lines in
/etc/mail/virtusertable if there is no mailing list set up for the site
Some people suggest to turn off NDA's in the MTA, which I think is a bad idea
and violates RFC822 anyway.
Suggested fixes (several different approaches):
a) Uninstall Majordomo
b) Or convert from Majordomo to Mailman
c) Or remove Majordomo aliases from /etc/mail/virtusertable if that site
doesn't use Majordomo
With best regards
More information about the Blueonyx