majordomo vulnerability

[invaderjim]

I discovered an interesting vulnerability (rather, spammers did) that I hope someone has an idea how to fix:

This is for a password protected moderated list... If you send a message to majordomo@[I]domain.com[/I] with listname-out@domain.com as your reply-to address, the error message will be sent to the addresses on the list. I'll ask about it on Majordomo's list as well, but wanted to see if anyone here was aware of it, too. And had an idea of how to handle it, whether through modifying Majordomo stuff, or some other means.

Thanks!

 

[nobaloney]

It's a known vulnerabiity and has been for years. Be sure to subscribe to each of your lists, to know if/when it happens. The majordomo-users list archives should have some ideas as to how to change listname-out to something else. Some may have even been written by me years ago; we used to use Majordomo in a commercial list service we ran.

Unfortunately the answers will probably only be there for Sendmail, but you should be able to figure it out for exim.

Jeff

 

[invaderjim]

I didn't think I was the first to discover it, but it was news to me! So since I am behind the times, are there any other vulnerabilities I should know about? (And do you have an idea of what year you may have posted to the MD list?

Thanks - Jim

 

[nobaloney]

Somewhere between five and ten years ago; I think we stopped offering commercial mail-list services sometime in 2001. And I'm not sure if I posted it there, responded to the thread, or just read it there.

I don't know of any other holes in Majordomo.

Jeff