[Mailman-Users] Insecure setup?

Mon, 01 Jun 2020 03:18:58 -0700

Until a few hours ago I was running mailman 2.1.29 on Debian Stretch, as packaged by Debian, e.g. mailman_1:2.1.29-1_amd64.deb, so I was missing the latest update published by Debian on April, 24 as mailman_1:2.1.29-1+deb10u1_amd64.deb. That means my mailman was vulnerable to this specific issue: 

https://security-tracker.debian.org/tracker/CVE-2020-12137
which is a XSS issue, and, as such, it can hardly be the cause of my problem. However I've now updated it nevertheless.
A few hours ago I received a FBL complaint notification about a monthly subscription reminder marked as spam and actually coming from my server. The subscription reminder was attached to the FBL complaint, so I could see the mailman list subscribed email inside it, which is ada3167eb87301cb4835917425f07...@libero.it: it's clearly a fake email address or a real email address that's been created just for sending spam.
The real user that raised the complaint is not shown for obvious privacy reasons, though I could discover it from the message id, but who cares, he's right after all, but by double checking the message id I could confirm the whole reminder is authentic and it actually went out of my mailserver. It is attached here, except I've masked my real domain name and my real server ip address.
My mailman subscription logs (/var/log/mailman/subscribe*) go back one year and that fake email address does not appear in any of them, nor it is listed in the current subscribers list. It obviously does NOT match the email address of the user that received the spammed reminder and that raised the complaint.
How did it happen? Is there a security flaw in my mailman setup? Where should I start looking at? 








Source: Italia Online (Libero and Virgilio)=0D
Abuse-Type: complaint=0D
Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/394805=
=0D
User-Agent: ReturnPathFBL/2.0=0D
Original-Rcpt-To: ada3167eb87301cb4835917425f07...@libero.it=0D
Arrival-Date: Mon, 01 Jun 2020 03:00:04 +0000=0D
Original-Mail-From: mailman-boun...@my.real.hostname.it=0D
Reported-Domain: my.real.hostname.it=0D
Source-Ip: my.real.mailman.server.ip.address=0D
Feedback-Type: abuse=0D
Version: 1=0D

--2b38e7ed6655b3398b3fa78c503692fce35b2e77326c2691bbcfb3bc2516
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Content-ID: <5ed497103f356_ebe2b2335d7596447...@abuse.myprovider.company.mail>

Delivered-To: *****
Received: from mobimap.libero.it
        by <local> with IMAP4 (i;15392:1)
        Mon, 01 Jun 2020 03:00:27 +0000
Return-Path: <mailman-boun...@my.real.hostname.it>
Delivered-To: ada3167eb87301cb4835917425f07...@libero.it
Received: from dcd-18 ([10.103.10.26])
        by dcbackend-44.iol.local with LMTP id aBB+HUtv1F5HTwMAm9QHFw
        for <ada3167eb87301cb4835917425f07...@libero.it>; Mon, 01 Jun 2020 
05:00:27 +0200
Received: from dcp-12.iol.local ([10.103.10.26])
        by dcd-18 with LMTP id 8KFpHUtv1F72MQAAWU+Phw
        ; Mon, 01 Jun 2020 05:00:27 +0200
Received: from libero.it ([10.103.10.26])
        by dcp-12.iol.local with LMTP id oBQ9Dktv1F6y6wAAFc0f+g
        ; Mon, 01 Jun 2020 05:00:27 +0200
Received: from my.real.hostname.it ([my.real.mailman.server.ip.address])
        by smtp-26.iol.local with ESMTP
        id fagcjaRdEBNRlfagcj6sQm; Mon, 01 Jun 2020 05:00:27 +0200
X-IOL-DMARC: fail_monitor con il dominio my.real.domain.where.i.host.mailman
X-IOL-DKIM: Messaggio non firmato
X-IOL-SPF: pass con l'IP my.real.mailman.server.ip.address;my.real.hostname.it
X-IOL-SEC: _SPFOK_NODKIM_DMARCFAIL_ENVFROMHEADDIFF
X-IOL-Original-Envfrom: mailman-boun...@my.real.hostname.it
x-libjamoibt: 2601
Received-SPF: pass
X-CNFS-Analysis: v=2.3 cv=X7os11be c=1 sm=1 tr=0
 a=FkFSD/Dudah5UTUvEddLDw==:117 a=FkFSD/Dudah5UTUvEddLDw==:17 a=lP7XrAztAAAA:8
 a=KiCxJD0x+Pe5VASQKmYoJrcyuOo=:19 a=xqWC_Br6kY4A:10 a=8nJEP1OIZ-IA:10
 a=nTHF0DUjJn0A:10 a=Mrz3sjv-sVQA:10 a=IAtt1hzdAAAA:8 a=vYhxhHx_zviUCDRhy94A:9
 a=wPNLvfGTeEIA:10 a=2EkGEB5KO2G9k0KlfTuJ:22 a=1L9rwC9n54gXs6W524hS:22
Received: from my.real.hostname.it ([::1])
  by my.real.hostname.it with ESMTP
  id 0000000000123253.000000005ED46F3F.00004A46; Mon, 01 Jun 2020 05:00:15 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: promemoria per gli iscritti della lista 
my.real.domain.where.i.host.mailman
From: mailman-ow...@my.real.domain.where.i.host.mailman
To: ada3167eb87301cb4835917425f07...@libero.it
X-No-Archive: yes
Auto-Submitted: auto-generated
Message-ID: <mailman.22.1590980404.18909.mail...@my.real.hostname.it>
Date: Mon, 01 Jun 2020 05:00:04 +0200
Precedence: bulk
X-BeenThere: mail...@my.real.hostname.it
X-Mailman-Version: 2.1.29
List-Id: <mailman.my.real.hostname.it>
X-List-Administrivia: yes
Errors-To: mailman-boun...@my.real.hostname.it
Sender: "Mailman" <mailman-boun...@my.real.hostname.it>
X-CMAE-Envelope: 
MS4wfE7WgNK6+1TCWJT2l9eUtLErptK18C5819kRL7yRE0HAlor0NJBLXLDL6HfOahF0FqVW6I95j5Oz78Y4MekgnFd5rnHMtNjcemup+IEvZPAik3ig8RbU
 
yUf5JnpXs0aKtyC4ykkZ73aCGK8h7SqTc+S8FR9HSkpVwEpBFRFMHW5PAagGRRIICd1fep7ihrf2iQ==
X-Mru-Rpop: 1
X-Ipop: 89664477
X-Mru-UID: 1089306654
X-Mailru-Intl-Transport: d,4f36b03


Questo promemoria, inviato con cadenza mensile, elenca le tue
iscrizioni alle liste gestite da my.real.domain.where.i.host.mailman, e
per ognuna di esse specifica le informazioni necessarie per cambiarla
o cancellarla.

Puoi visitare gli URL per cambiare il tuo stato d'iscrizione o la
configurazione, inclusa la cancellazione, il settaggio della modalit=E0
di spedizione digest, o disabilitare completamente la spedizione (es.,
per una vacanza), e cos=EC via.

In aggiunta all'interfaccia web, puoi usare anche l'email per fare
alcuni cambiamenti.  Per altre informazioni, invia un messaggio
all'indirizzo '-request' della lista (per esempio,
mailman-requ...@my.real.domain.where.i.host.mailman) contenente solamente
la parola 'help' nel corpo del messaggio.  Ti sar=E0 inviato un
messaggio con le istruzioni.

Se hai domande, problemi, commenti, ecc., inviali a
mailman-ow...@my.real.domain.where.i.host.mailman. Grazie!

Password per ada3167eb87301cb4835917425f07...@libero.it: =



Lista                                    Password // URL
----                                     --------  =

my.real.list.n...@my.real.domain.where.i.host.mailman
           voanteod  =

https://my.real.domain.where.i.host.mailman/options/my.real.list.name/ada3167eb87301cb4835917425f07242%40libero.it

--2b38e7ed6655b3398b3fa78c503692fce35b2e77326c2691bbcfb3bc2516--

------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/

Reply via email to