[ISN] Majordomo Could Mean Major Spam

From: InfoSec News (isnat_private)
Date: Sun Sep 07 2003 - 22:20:44 PDT

  • Next message: InfoSec News: "[ISN] Cabinet says computers under attack"

    By Brian McWilliams
    September 7, 2003
    Getting lots of spam? Perhaps Majordomo is partly to blame. 
    Numerous high-profile sites running the free Majordomo mailing list 
    server are vulnerable to an "information leakage" attack first 
    reported nearly a decade ago. 
    The technique allows anyone to grab a list of subscriber addresses 
    using a little-known but documented feature in the Majordomo server 
    A quick survey easily turned up dozens of e-mail lists ripe for 
    harvesting by the technique, which involves sending a standard command 
    to a Majordomo server via e-mail. Among the vulnerable list operators 
    were government, military, commercial, and educational organizations. 
    The Majordomo "which" command was originally designed to allow list 
    administrators and subscribers to see who is on a mailing list. 
    But the technique could also enable spammers to collect addresses that 
    are effectively unpublished and not previously available through 
    current spam extraction tools.
    "This bug could be used by evil spammers to fill their databases," 
    wrote security researcher Marco van Berkum in an advisory published 
    last February about the potential privacy problem. Barkum rated the 
    vulnerability "high" impact.
    Over 12,000 e-mails, most of them ending in "dot-gov" amd "dot-mil" 
    were easily accessible by sending the "which" command in an e-mail to 
    a Majordomo server operated by the National Aeronautics and Space 
    Administration. Addresses were organized according to list topics, 
    such as "code-w-investigators" and "nasa-dcfos-finance." NASA 
    officials disabled the command after being alerted to the spam threat 
    this week.
    Even some information technology-savvy companies were susceptible to 
    the collection technique. A West-coast Internet service provider's 
    open Majordomo server provided over 150,000 e-mails in response to the 
    command. A Majordomo server hosted by a large computer networking 
    manufacturer responded to "which" commands by returning a list of more 
    than 43,000 e-mail addresses of customers and other Internet users. 
    Neither firm acknowledged warnings about the e-mail harvesting threat.
    Sun Microsystems offered up more than 6,500 e-mail addresses of 
    Internet users who had subscribed to discussion lists dedicated to a 
    variety of technology topics. After Sun was notified about the 
    vulnerability, the company's Majordomo server was unreachable Friday. 
    According to Brent Chapman, founder of Great Circle Associates, which 
    created Majordomo in 1992, the "which" feature was developed at a time 
    when programmers "were far less concerned about spammers harvesting 
    e-mail addresses than people are today." 
    By default, installations of Majordomo version 1 are configured to 
    accept the "which" command. An independently developed successor, 
    Majordomo 2, is not vulnerable to the extraction technique. 
    While some administrators may leave the feature enabled on purpose, 
    many appear unaware of the potential vulnerability in Majordomo, which 
    is currently in use at "several hundred thousand" sites, according to 
    At present, junk e-mailers rely primarily on mailing lists compiled by 
    automated tools that extract e-mail addresses from public Web pages 
    and Usenet discussion groups. The resulting lists are typically sorted 
    into broad categories, such as "AOL" or "Hotmail" or "global 
    Universities typically protect their online directories from such data 
    collection by spammers, yet Majordomo installations at several higher 
    education institutions allowed open access via the "which" command. A 
    list of nearly 33,000 e-mail addresses was available from a large 
    eastern university's Majordomo server. Some 14,500 e-mail addresses 
    were available from an Ivy League college's server. Computing 
    administrators at the two institutions did not immediately respond to 
    warnings about the potential problems.
    Chapman said he first became aware of Majordomo's potential security 
    flaw in 1993. In 1996 he published instructions on a mailing list for 
    Majordomo administrators about how to disable the feature. However, 
    the potential problems raised by the "which" command are not mentioned 
    in the documentation currently included with the software.
    In 1999 a Majordomo user reported that the default installation of the 
    software allows list subscribers to be extracted, and noted that 
    "several" installations were vulnerable. 
    Great Circle discontinued development of Majordomo with version 1.94.5 
    in 2000 and no longer supports the software, although the company 
    continues to distribute it for free as a public service, Chapman said. 
    By examining e-mail message headers for the term "Majordomo," list 
    subscribers may be able to identify whether their discussions are 
    being hosted by a Majordomo server. Administrators of the server can 
    often be reached via the user name " Majordomo-owner@" followed by the 
    server's address. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 08 2003 - 01:06:08 PDT