COMMAND

    eGROUPS

SYSTEMS AFFECTED

    eGROUPS mailing lists

PROBLEM

    Philip Stoev found following.  eGROUPS (wwww.egroups.com) is a web
    site  providing  mailing  list  services.   The mailing lists (aka
    groups) can  be moderated,  and the  moderator can  approve/revoke
    posted messages by  sending blank emails  to certain addresses  in
    the egroups system.  This makes it trivial for anyone to approve a
    message without being a moderator.

    1. Take a look at the header of some previous message sent to  the
       group.  Extract the following header line:

        Return-Path: <GROUPNAME-return-XXX-USERNAME=HOST.TLD@returns.egroups.com>

       the  number  XXX  here  is  a  sequence number assigned to each
       message sent to the group.

    2. Send  the message  you want  to send  to the  list. The message
       will be sent to the moderator for approval.

    3. Send 256 blank messages to addresses like:

        GROUPNAME-accept-ZZmYYY@egroups.com

       where: - ZZ is a hexadecimal number from 00 to FF
              - YYY is XXX + 1

    The presence  of the  ZZ number  appears to  be an  attempt to put
    some security  into the  entire system.   However, this  number is
    constant  for  each  group  and  does  not  change  in time.  Once
    guessed, subsequent messages can be approved with a single  email.
    Your message will appear as if approved by the moderator and  will
    be  distributed  to  the  group.  No header spoofing is necessary,
    because the eGROUPS  system does not  check the source  address of
    the incoming messages.

SOLUTION

    eGROUPS was notified.