On 07/18/2018 06:28 PM, Matt Morgan wrote:
> On one of my lists I'm seeing some spam from non-subscribers getting
> through. It appears that the trick is to put a subscriber's address in the
> "real name" of the sender. E.g., this got through, without being held for
> moderation, on a list with generic_nonmember_action = discard (emails of
> the innocent obfuscated):
> 
> *From:* "x...@johnxxx.com <j...@johngreenwaltlee.com>" <enrollm...@ekonek.com>


I'm not sure what the actual incoming From: looked like. I'm sure the
asterisks in *From:* are some MUA's bolding artifact, but that
notwithstanding, if the header was

From: "x...@johnxxx.com <j...@johngreenwaltlee.com>" <enrollm...@ekonek.com>

Mailman will parse that as

real name: 'x...@johnxxx.com <j...@johngreenwaltlee.com>'
address: 'enrollm...@ekonek.com'

and the only address checked for list membership will be
enrollm...@ekonek.com

In any case, if you haven't changed the setting of SENDER_HEADERS in
mm_cfg.py, Mailman will consider a post to be from a list member if any
of the From: header, the envelope sender, the Reply-To: header or the
Sender: header contains the member address as an address, not as a real
name.

It is trivial to spoof a member address in one of those places.

As far as what happened in this case, I can't say without seeing the
original message as received by Mailman before various headers were
munged and the post sent to the list.

If you want to diagnose this, you can temporarily add a local file to
the alias for the list posting address to capture the incoming mail, at
least if mailman's delivery is via aliases.

I.e., if you currently have an alias like

listname:   "|/path/to/mail/mailman post virt"

add a file as in

listname:   "|/path/to/mail/mailman post listname"
      /path/to/file

Then the MTA will save the message to 'file' as well as delivering it to
mailman.

-- 
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to