Mark Sapiro writes: > On 6/1/20 3:15 PM, Lucio Crusca wrote: > > Ok, let's assume it is a deliverable address. Running the following > > one-liner yields nothing:
My guess is that the real mailbox was replaced with a hash of that mailbox. SHA-2-512 or SHA-3-512 would fit with the 32-hex-digit mailbox in the report. That allows the recipient's host to redact the mailbox from the report to you but still easily identify it. Either way, this looks like a valid subscription reminder. Do you have reminders enabled? If so, this looks like a user who decided to report the reminder as spam rather than take a reasonable action (turn off reminders or unsubscribe). > > I agree [that it was sent to the real address], but how? The recipient domain has clearly altered the header, because it reports a delivery to that address but you have no record of it. (It could be the recipient, but there are very few recipients with the skills to do this, or would bother given that they're reporting on their own behalf to their email provider!) Mark Sapiro writes: > If I were you I would either just remove the recipients real > address from the list or maybe contact the recipient to see what > the message looked like at that end. I don't think there's much point in contacting the recipient. > In any case, I can't see how there could be any issue with Mailman > here. Agreed. Regarding your other question, > > Is there a security flaw in my mailman setup? Maybe, but it looks to me like you just have a user who got annoyed at the password reminder for a list they are subscribed to, and decided to cause you trouble rather than take care of turning reminders off or unsubscribing themself. (This used to be *really* common with America Online because their Report Spam button was big and easy to click, vs unsubscribing or changing their user profile which users had to do themselves. Fortunately those folks don't seem to use Mailman lists any more.) Your MTA does have places security can be tightened. One is to use DKIM to sign the outgoing messages. Without a signature, it's impossible to prove whether the header and/or the message content were spoofed or altered after leaving your server. Also, it seems that you have a DMARC record for "my.real.hostname.it", but it does not cover "my.real.domain.where.i.host.mailman", since "my.real.hostname.it" passes SPF, but "my.real.domain.where.i.host.mailman" fails DMARC. This is a guess since I don't know your domains, nor exactly how IOL does things, but the "fail" in these two fields suggests it: X-IOL-DMARC: fail_monitor con il dominio my.real.domain.where.i.host.mailman X-IOL-SEC: _SPFOK_NODKIM_DMARCFAIL_ENVFROMHEADDIFF Presumably lack of DMARC alignment (address in From needs to match the SPF authenticated domain) contributes to the spam score. ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
