Sebb thank you for your analysis! Two issues; one, the reply-to field of security announcements was set to security@, and this is in direct contravention of Apache policy. Security@ is exclusively for reporting undisclosed vulnerabilities, and all other traffic is ignored. This group of email addresses must never be shared without context and usage guidance. Please, never do that again.
Two, this announce is still not published to ann@a.o. What is the next step to cause this to happen? Daniel, could you use a conventional mail agent to wrap this cycle up? On Wed, Sep 26, 2018, 18:40 sebb <seb...@gmail.com> wrote: > Also just realised the Message-Id is missing. > > Some servers (e.g. GMail) may add it; if they don't it can causes issues > for mod_mbox and possibly other archivers. > It also causes problems for mail threading. > And if the mail is sent to multiple destinations, each generated > Message-Id will be different. > > On 26 September 2018 at 22:04, Noel Butler <noel.but...@ausics.net> wrote: > >> On 27/09/2018 05:37, sebb AT ASF wrote: >> >> >> I don't know if this is relevant, but the messages don't have a Date: >> header. >> >> >> Ahhhh this would be because Daniel used curl to send them rather than a >> sane method :) >> >> >> >> >> Also some of the received headers look odd: >> >> Received: from Announcement.txt (IP redacted) >> by mailrelay1-lw-us.apache.org (ASF Mail Server at >> mailrelay1-lw-us.apache.org) with ESMTPSA id redacted >> for <annou...@httpd.apache.org>; Sat, 22 Sep 2018 11:41:35 +0000 >> (UTC) >> >> and >> >> Received: from CVE-2018-11763-h2-dos-by-settings.txt (IP redacted) >> by mailrelay2-lw-us.apache.org (ASF Mail Server at >> mailrelay2-lw-us.apache.org) with ESMTPSA id redacted >> for <annou...@httpd.apache.org>; Sat, 22 Sep 2018 11:41:38 +0000 >> (UTC) >> >> -- >> >> Kind Regards, >> >> Noel Butler >> This Email, including any attachments, may contain legally privileged >> information, therefore remains confidential and subject to copyright >> protected under international law. You may not disseminate, discuss, or >> reveal, any part, to anyone, without the authors express written authority >> to do so. If you are not the intended recipient, please notify the sender >> then delete all copies of this message including attachments, immediately. >> Confidentiality, copyright, and legal privilege are not waived or lost by >> reason of the mistaken delivery of this message. Only PDF >> <http://www.adobe.com/> and ODF >> <http://en.wikipedia.org/wiki/OpenDocument> documents accepted, please >> do not send proprietary formatted documents >> > >
