At Thu, 19 Jul 2018 10:25:01 -0700 Mark Sapiro <m...@msapiro.net> wrote:
> > On 07/19/2018 05:16 AM, Robert Heller wrote: > > At Wed, 18 Jul 2018 19:33:20 -0700 Mark Sapiro <m...@msapiro.net> wrote: > > > >> > >> On 07/18/2018 07:10 PM, Robert Heller wrote: > >>> > >>> Mailman only checks the From: header... > >> > >> > >> Not true. See my other reply in this thread. > > > > I mean it does not check things like the Received: headers *by default*. If > > the email part of the From: header is a list member address, Mailman will > > consider that the mail is from that member and pass the message on to the > > list, *even if the From: header is spoofed*. I expect that this is what > > happening with the OP. It is a common spammer hack: somehow get a list of > > member addresses (or really hack a member's E-Mail accoung or PC and go from > > there). > > > > Yes, Mail mail can be configured to check other headers, but this requires > > some configuration settings. > > > My point is that standard, default Mailman checks not only the From: > header for list member addresses, it also checks the envelope sender and > the Reply-To: and Sender: headers. All of which can be spoofed. Mailman does not make any checks of the "Received:" headers (where the bogosity of the other headers can be determined or can flag messages as containing possibly spoofed headers). > -- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org