Hi. I had been noting with trepidation the recent rise in spam mail with multiple spoofed From: lines, e.g.,
From: m...@example.net From: y...@example.net From: l...@example.net To: l...@example.net since that drastically increases the chances of any given spam message having a spoofed From: line that matches a list member. Recently, one of our lists (running Mailman 2.1.11 from Debian packages) actually got hit with a bunch of spam like that. That particular list actually had (the equivalent of) "l...@example.net", among other addresses, in discard_these_nonmembers, but that didn't actually have any effect. (None of the spoofed from addresses were in accept_these_nonmembers .) So I am guessing that when it gets mail with multiple From: addresses (or maybe just with multiple From: headers on separate lines), Mailman is doing some sort of header canonicalization that breaks discard_these_nonmembers. (I will note that the list address was listed as a string, not a regex.) So my question is twofold: (1) Is there a way, within Mailman 2.1.11 itself, I can test whether a message has multiple *senders*, and hold for moderation or discard based on that? (I'd be happy either catching anything with multiple From: lines, or if all the possible places Mailman looks for a sender are conflated, anything with more than two or three different senders.) And, (2) Is there a way I can make discard_these_nonmembers and/or hold_these_nonmembers work with from addresses in these sorts of messages? (Maybe Mailman concatenates all the sender addresses and I therefore need to use a regular expression, for instance?) Thanks in advance! Jay PS -- In case its relevant, all our list mail is forwarded via aliases from the published address to an address handled by the Mailman server, so doing stuff at SMTP time is more complicated than it would otherwise be. I wouldn't mind advice for dealing with this stuff in Exim as well, if anybody happens to have some handy, but we *do* have (a small amount of) legitimate mail that has multiple From: headers. I know how to score this stuff higher in SpamAssassin, but given various peculiarities I'd really like to know how to do it in Mailman as well. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
