Thomas F. Holz writes:
> If I know the address of a list member and the address of the mailing
> list, I seem to be allowed to write in the list in his place.
> Is this correct?
Yes, as far as Mailman 2 goes. Mailman 2 doesn't know anything about
a user except their address. Mailman 3 knows a little bit more, but
Mailman doesn't know how to authenticate posters by digital signatures
(and you probably don't want to put your subscribers through that
pain, either).
> 1)---
> First, I can fake the sender address. If the original sender address and
> mail with the forgery are sent from the same domain, then this is not
> prevented by the MTA (SPF/DKIM check), is it?
Not by standard MTAs, which only make the appropriate check if the
sending domain has set a restrictive DMARC policy. But you should be
able to create an MTA or spam filter rule that checks for from
alignment yourself.
> With freemailers like gmail, web.de, gmx etc. this doesn't seem so
> impossible to me (i.e. that listmember and bad guy write from the same
> domain).
That won't work from gmail. Gmail will only allow you to send From an
address if you can prove you own it, either by using it to log in to
Gmail, or by reading a one-time token from that mailbox and sending it
back to Gmail. I can't speak for the other freemailers, but I imagine
they work the same. And if you send it from somewhere else, it won't
have Gmail's DKIM, so from alignment will fail.
> If I write to the mailing list from a valid address (which is NOT a
> member of the mailing list), and specify a "return-to" in the header
> with a listmember's address, then that gets waved through to my mailing
> list as well. My mailman lists here seem to ignore the "From" address
> completely then.
That is configurable on a sitewide basis. Add the SENDER_HEADERS
variable to mm_cfg.py, and change it to ('from') or ('from', None).
# Membership tests for posting purposes are usually performed by looking at a
# set of headers, passing the test if any of their values match a member of
# the list. Headers are checked in the order given in this variable. The
# value None means use the From_ (envelope sender) header. Field names are
# case insensitive.
SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
> Have I understood this correctly?
Not 100%, but basically so.
> And if this is as described, how can I prevent this?
1. In practice, as long as you do normal content-based spam
filtering, this seems to mostly be a theoretical problem even if
you do nothing special about checking senders. Maybe you (or your
users) have nastier than usual enemies though, you have to decide
that.
2. For a little more security and transparency, remove reply-to and
sender from SENDER_HEADERS. This will inconvenience some user
occasionally, but it should be rare in most user populations. It
won't stop spoofing, but it will be easy to see it and the victims
will complain. This may do the trick depending on what the goal
of the spoof is (and if the spoofer is a a bot).
3. For maximum security with little inconvenience to users, have your
MTA check for From alignment. You can either reject on that basis
(which will inconvenience some users substantially, I suspect) or
you can have the MTA add a header to the message, and have Mailman
hold the mail for human moderation if alignment fails.
It would also be possible to have Mailman do this but it's more
efficient to have the MTA do it.
I believe some users in the past have mentioned 3rd-party patches to
check user's digital signatures, but that's quite compute-intensive,
and requires that you teach your users to sign their own email. I'm
pretty sure they won't like that. ;-)
Steve
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
