Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-28 Thread Barry Finkel 
On Tue, Jan 27, 2009 at 01:51:48PM -0600, Barry Finkel wrote:
>> I was surprised to learn last week that RFC 2822 has been made
>> obsolete by RFC 5322, and 2821 by 5321.  I think that the major
>> changes wre to clear up sections where there were differences of
>> interpretation.

and Adam McGreggor  replied:
>I saw the update/obsoletion via http://twitter.com/rfc

I was a subscriber to the DRUMS mailing list when that group was
revising RFCs 821 and 822 to produce 2821 and 2822.  I do not remember
having unsubscribed from that list, but I have seen no activity on
that list after 2821 and 2822 were issued.  So, revisions to those two
RFCs caught me by surprise.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-27 Thread Grant Taylor 

On 01/27/09 13:19, Lindsay Haisley wrote:
It is not a misconfiguration of a MTA for for the envelope sender to 
be of the form "@.." as long as this is a 
working address.


Agreed.  I was referring to the common question on MTA support lists 
along the lines of "Why is  sending emails out as 
'@..' and not '@.' like it 
should be?".  In this case, it is indeed an MTA mis-configuration on 
their ends, automatically adding the (incorrect) host / domain name to 
uncanonical sending email addresses.




Grant. . . .
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-27 Thread Adam McGreggor 
On Tue, Jan 27, 2009 at 01:51:48PM -0600, Barry Finkel wrote:
> I was surprised to learn last week that RFC 2822 has been made
> obsolete by RFC 5322, and 2821 by 5321.  I think that the major
> changes wre to clear up sections where there were differences of
> interpretation.

I saw the update/obsoletion via http://twitter.com/rfc

-- 
``What does it mean? It means I never have to work again.''
  (Don McLean, on `American Pie', attrib.)
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-27 Thread Lindsay Haisley 
On Tue, 2009-01-27 at 09:25 -0600, Grant Taylor wrote:
> Though I think that the MTA sending out as 
> @.. is a mis-configuration on the MTA's part.

It should be noted as well that it's not the MTA's job to set the
envelope sender address, nor is there any configuration in a proper MTA
to default this address to anything in particular.  This is done by the
MUA (or equivalent) which engages the MTA for the purpose of sending an
email, and if an envelope sender address isn't provided, the MTA will
complain and refuse to continue with a session.

-- 
Lindsay Haisley   | "In an open world,| PGP public key
FMP Computer Services |who needs Windows  |  available at
512-259-1190  |  or Gates"| http://pubkeys.fmp.com
http://www.fmp.com|   |


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-27 Thread Barry Finkel 
>Please see Sec. 3.6 of RFC 2822 for a full discussion of various e-mail
>header fields and their proper uses and meanings, and RFC 2821 for a
>discussion of the trace fields, such as Return-Path.  It is not a
>misconfiguration of a MTA for for the envelope sender to be of the form
>"@.." as long as this is a working address.
>Mail systems which are unable to deliver a received email are required
>to use the Return-Path address (the SMTP envelope sender address) to
>which to send DSNs and NDRs.

I was surprised to learn last week that RFC 2822 has been made
obsolete by RFC 5322, and 2821 by 5321.  I think that the major
changes wre to clear up sections where there were differences of
interpretation.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-27 Thread Lindsay Haisley 
On Tue, 2009-01-27 at 09:25 -0600, Grant Taylor wrote:
> I can see how altering your From (depending on where you are sending to) 
> could be a possibility.  Though I think that the MTA sending out as 
> @.. is a mis-configuration on the MTA's part. 
> As far as the Sender: header, I can see that, thus I refine my statement 
> such that either the (preferably) From: or the Sender: headers should 
> match the SMTP envelope sender / Return-Path: header.

Please see Sec. 3.6 of RFC 2822 for a full discussion of various e-mail
header fields and their proper uses and meanings, and RFC 2821 for a
discussion of the trace fields, such as Return-Path.  It is not a
misconfiguration of a MTA for for the envelope sender to be of the form
"@.." as long as this is a working address.
Mail systems which are unable to deliver a received email are required
to use the Return-Path address (the SMTP envelope sender address) to
which to send DSNs and NDRs.

All the header fields which we're discussing here have very precisely
defined uses, and the nuances of these field definitions are, I believe,
somewhat OT for this list.  IMHO, it would be an error to try to force
any of these fields to match one another without fully understanding
their intended uses.  There is, unfortunately, way too much of this sort
of thing these days as people writing email management software,
including some pretty big players, have played fast and lose with the
RFCs and have muddied the waters for the rest of us who are trying to
make the Internet email system work cleanly and reliably.

-- 
Lindsay Haisley   | "Everything works| PGP public key
FMP Computer Services |   if you let it" |  available at
512-259-1190  |(The Roadie)  | http://pubkeys.fmp.com
http://www.fmp.com|  |



--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-27 Thread Grant Taylor 

On 01/26/09 20:30, Stephen J. Turnbull wrote:
Sure.  Anybody who uses a single host to send mail but alters their 
From according to the venue (me, for example).  Anybody whose MTA 
identifies the envelope sender as u...@actual-host.example.com, but 
whose MUA identifies them as u...@example.com in From.  Anybody whose 
mail is handled on somebody else's account, and thus will have a 
Sender header (typically Return-Path will more likely point to Sender 
than From in that case).


I can see how altering your From (depending on where you are sending to) 
could be a possibility.  Though I think that the MTA sending out as 
@.. is a mis-configuration on the MTA's part. 
As far as the Sender: header, I can see that, thus I refine my statement 
such that either the (preferably) From: or the Sender: headers should 
match the SMTP envelope sender / Return-Path: header.



It would be easy to implement in something like SpamAssassin.


*nod*

This may be a very valid point.  I wonder what it would take to add a 
new rule that would add a small score if things did not match like the 
likely should.  Every little bit helps and I don't think a little bit 
would hurt otherwise valid messages.




Grant. . . .
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Brad Knowles 

on 1/26/09 6:09 PM, Grant Taylor said:


I meant the Return-Path with is the SMTP envelope sender.


In theory, your MTA should be putting the envelope sender address into 
the "Return-Path:" header, so these two should always match.


If not, then you should talk to the vendor of your MTA software.

--
Brad Knowles
If you like Jazz/R&B guitar, check out
LinkedIn Profile: my friend bigsbytracks on YouTube at
http://preview.tinyurl.com/bigsbytracks
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Stephen J. Turnbull 
Grant Taylor writes:

 > About the only thing that I can think of where the From: and the
 > Return-Path: might not match is a forward or some other thing like
 > that. However I can't see why any one would have addresses
 > forwarding in to a mailing list.
 > 
 > Do you have such an example handy?

Sure.  Anybody who uses a single host to send mail but alters their
>From according to the venue (me, for example).  Anybody whose MTA
identifies the envelope sender as u...@actual-host.example.com, but
whose MUA identifies them as u...@example.com in From.  Anybody whose
mail is handled on somebody else's account, and thus will have a
Sender header (typically Return-Path will more likely point to Sender
than From in that case).

It would be easy to implement in something like SpamAssassin.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Grant Taylor 

On 01/26/09 17:19, Mark Sapiro wrote:
About the only things that you can "normally" expect to match are 
From: and envelope sender, but even there, there will be legitimate 
mail in which they won't match.


I meant the Return-Path with is the SMTP envelope sender.

About the only thing that I can think of where the From: and the 
Return-Path: might not match is a forward or some other thing like that. 
 However I can't see why any one would have addresses forwarding in to 
a mailing list.


Do you have such an example handy?



Grant. . . .
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Mark Sapiro 
Lindsay Haisley wrote:

>On Mon, 2009-01-26 at 14:34 -0700, Steve Lindemann wrote:

>>   would mailman remove it from the header for 
>> final delivery to the list members?
>
>Yes, absolutely.  Not only in the text/plain part but in every part of a
>multipart message in which it occurs.  Otherwise it would be the
>equivalent of serving up your list security on a silver platter to the
>world and passing out carving knives :(


As a point of clarification, if the Approved: header is a message
header, it will be removed.

In order to accommodate those who have difficulty adding arbitrary real
headers to messages, the Approved: header can be added as a
pseudo-header as the first non-blank line of the first text/plain part
of the message. If it is found there, it is also looked for in and
removed from other text/* parts of the message.

Some caveats are:

If a pseudo-header is not in the first text/plain part (e.g. the
message is html only), it won't be found or removed, but presumably
there was a need for the message to be pre-approved, so it won't go to
the list.

The removal of the pseudo-header from html and or subsequent parts is a
best effort, not a guarantee. It is possible that the header will be
sufficiently garbled with additional html tags or entities or other
rich text artifacts, that it won't be found.

The moral is if at all possible, use a real header. If you have to use
a pseudo header, post a text/plain only message or remove non-text
plain parts with content filtering.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Mark Sapiro 
Lindsay Haisley wrote:

>On Mon, 2009-01-26 at 16:49 -0600, Grant Taylor wrote:
>> Is there a way that we can require some of these things (if they exist) 
>> to match each other?  I.e. to require the 'from' and the 'reply-to' to 
>> match?
>
>This might not be such a good idea.  A "Reply-To" header is optional is
>generally used if a reply should be sent to some address _other_ than
>the specified From header address, so if it's present, it may logically
>not match the From header address.  I'm not so sure about the Sender
>header, but I know that it's optional and I believe it's also used to
>further "fine tune" information regarding the origin of an email if it's
>from an organization.


The intent of Sender: is along the lines of

From: The Boss
Sender: The Boss's Secretary

About the only things that you can "normally" expect to match are From:
and envelope sender, but even there, there will be legitimate mail in
which they won't match.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list (SOLVED)

2009-01-26 Thread Lindsay Haisley 
On Mon, 2009-01-26 at 16:54 -0600, Grant Taylor wrote:
> It will be *VERY* difficult for me to spoof an SMTP envelope sender for 
> Microsoft with out SPF filters (and the likes) detecting it and acting 
> accordingly.

My experience with SPF is that it's not at this point widely enough
deployed so that it can reliably be used as an accept/reject filtering
criterion.  I tried to do it at one point on my mail servers and got
flack right away from customers who couldn't get their legitimate
email :-(

-- 
Lindsay Haisley   |  "We are all broken  | PGP public key
FMP Computer Services |   toasters, but we   |  available at
512-259-1190  | still manage to make |
http://www.fmp.com|toast"|
  |(Cheryl Dehut)|


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list (SOLVED)

2009-01-26 Thread Grant Taylor 

On 01/26/09 16:51, Lindsay Haisley wrote:
It's no more difficult to spoof the From header than it is to spoof 
the envelope sender address, but at least this way, if it happens 
again, you'll more easily see which header got the spam through and 
not have to go digging for it.


I'll agree it's almost trivial to spoof either or both if you know what 
you are doing.


However there is quite a bit of difference in the filtering of the SMTP 
envelope sender that is likely to exist (to some degree) along the way.


It will be *VERY* difficult for me to spoof an SMTP envelope sender for 
Microsoft with out SPF filters (and the likes) detecting it and acting 
accordingly.




Grant. . . .
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list (SOLVED)

2009-01-26 Thread Lindsay Haisley 
On Mon, 2009-01-26 at 15:44 -0700, Steve Lindemann wrote:
> Thanks... I like that solution much more better 8^)

It's no more difficult to spoof the From header than it is to spoof the
envelope sender address, but at least this way, if it happens again,
you'll more easily see which header got the spam through and not have to
go digging for it.

-- 
Lindsay Haisley   | "Everything works| PGP public key
FMP Computer Services |   if you let it" |  available at
512-259-1190  |(The Roadie)  | http://pubkeys.fmp.com
http://www.fmp.com|  |



--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list (SOLVED)

2009-01-26 Thread Steve Lindemann 

Lindsay Haisley wrote:

On Mon, 2009-01-26 at 15:26 -0700, Steve Lindemann wrote:
Thanks! Got it!  They spoofed a legitimate list member on the 
Return-Path:, which also showed up on the first ("From ") message header 
line.


Both of these reflect the envelope sender address used in the SMTP
dialog with the mail server.

I don't suppose there's anything we can do about this other than change 
that particular user's email address... is there?


You can restrict the set of headers used to identify subscribers using
the SENDER_HEADERS variable in mm_cfg.py, as Mark indicated.  By default
(in Defaults.py) this is:

SENDER_HEADERS = ('from', None, 'reply-to', 'sender')

You can eliminate the envelope sender address from the mix by setting
this simply to:

SENDER_HEADERS = ('from', 'reply-to')

or drop 'reply-to' if you want to be even more restrictive.



Thanks... I like that solution much more better 8^)

...too many messages going by too quickly.  I skimmed Mark's message but 
since he was answering Grant's question I didn't read it as closely as I 
should have I'm going back now to read thru the thread more slowly.


Thanks to all!
--
Steve Lindemann __
Network Administrator  //\\  ASCII Ribbon Campaign
Marmot Library Network, Inc.   \\//  against HTML/RTF email,
http://www.marmot.org  //\\  vCards & M$ attachments
+1.970.242.3331 x116


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Lindsay Haisley 
On Mon, 2009-01-26 at 14:51 -0700, Steve Lindemann wrote:
> Rechecked the delivered message header and found the list bounces 
> address in the Sender: and Return-Path: headers, but I thought that was 
> normal on the delivered message.

It is, if you're looking at the _distributed_ post.  This is the
envelope sender address which Mailman used when distributing the email,
possibly a VERP address if you have this enabled.  What you need to look
at is the headers on the post which the list server _received_, not what
it send out.

> I didn't think the -bounces address was considered a member of the 
> list...  is it?

No, unless someone subscribed it.

-- 
Lindsay Haisley   |  "We are all broken  | PGP public key
FMP Computer Services |   toasters, but we   |  available at
512-259-1190  | still manage to make |
http://www.fmp.com|toast"|
  |(Cheryl Dehut)|


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Steve Lindemann 

Mark Sapiro wrote:

All the headers of the spam post. In a default installation, if any of
From:, Reply-To: or Sender: headers or the envelope sender as
reflected in the Unix From or Return-Path: header contains a member
address, the post will be deemed from that member.

Find the spam posts in archives/private/LISTNAME.mbox/LISTNAME.mbox.
The headers there should reflect the original except maybe for
Reply-To: if the list mungs that.

If that isn't the answer, then it is possible that, as Lindsay
suggests, the post contained an Approved: header with the list admin
or moderator password.


Rechecked the delivered message header and found the list bounces 
address in the Sender: and Return-Path: headers, but I thought that was 
normal on the delivered message.


Checked the archives and found the note "An HTML attachment was 
scrubbed..." and a link to the html portion of the message.  The rest of 
the message (including the header) appears to be missing from the archive.


I didn't think the -bounces address was considered a member of the 
list...  is it?

--
Steve Lindemann __
Network Administrator  //\\  ASCII Ribbon Campaign
Marmot Library Network, Inc.   \\//  against HTML/RTF email,
http://www.marmot.org  //\\  vCards & M$ attachments
+1.970.242.3331 x116


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Lindsay Haisley 
On Mon, 2009-01-26 at 14:34 -0700, Steve Lindemann wrote:
> Lindsay Haisley wrote:
> > Is it possible that the list mod or admin password got out?  I believe
> > than anyone can post to a moderated list by putting an "Approved:
> > " header or pseudo-header in a post.
> 
> I'm on one of the lists that accepted the message (which is how it came 
> to my attention) and I just rechecked the message header and didn't see 
> anything resembling that...  would mailman remove it from the header for 
> final delivery to the list members?

Yes, absolutely.  Not only in the text/plain part but in every part of a
multipart message in which it occurs.  Otherwise it would be the
equivalent of serving up your list security on a silver platter to the
world and passing out carving knives :(

>   Regardless, I'll see to getting 
> passwords changed, thanks.

Good idea.  Check your full headers on these posts.  Mark's note is
probably relevant here.

-- 
Lindsay Haisley   | "The difference between | PGP public key
FMP Computer Services |  a duck is because one  |  available at
512-259-1190  |  leg is both the same"  | http://pubkeys.fmp.com
http://www.fmp.com|   - Anonymous   |

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Steve Lindemann 

Lindsay Haisley wrote:

Is it possible that the list mod or admin password got out?  I believe
than anyone can post to a moderated list by putting an "Approved:
" header or pseudo-header in a post.


I'm on one of the lists that accepted the message (which is how it came 
to my attention) and I just rechecked the message header and didn't see 
anything resembling that...  would mailman remove it from the header for 
final delivery to the list members?  Regardless, I'll see to getting 
passwords changed, thanks.

--
Steve Lindemann __
Network Administrator  //\\  ASCII Ribbon Campaign
Marmot Library Network, Inc.   \\//  against HTML/RTF email,
http://www.marmot.org  //\\  vCards & M$ attachments
+1.970.242.3331 x116

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] non-subscriber managed to post to a subscriber only list

2009-01-26 Thread Lindsay Haisley 
Is it possible that the list mod or admin password got out?  I believe
than anyone can post to a moderated list by putting an "Approved:
" header or pseudo-header in a post.

On Mon, 2009-01-26 at 13:40 -0700, Steve Lindemann wrote:
> Had something strange occur early Saturday morning.  A non-subscriber 
> managed to successfully post to two member only lists (and, of course, 
> it was spam).
> 
> The bogus sender (thelevisstoreonl...@levis.rsys1.com) is not a member 
> of these member only lists and is not in the accept_these_nonmembers 
> filter.  Other non-member posts are being caught and sent to moderation. 
>   Is there something else that I should be looking at?
> 
> I checked the logs and the sender sent to 5 of our hosted lists.  They 
> were caught (per the vette log) by 3 of those lists as a non-member, but 
> posted successfully to the other 2 lists (per smtp and post logs).
> 
> I've checked the docs and faqs and haven't found a reference for 
> something like this.  I've checked all the logs and the configs (via the 
> web interface) on the two lists that posted allowed the post.  I can't 
> find any reason for it and have to wonder if I'm checking everything. 
> I've looked thru everything that makes sense and much that doesn't.  If 
> I had hair I'd be pulling it out!

-- 
Lindsay Haisley   | "In an open world,| PGP public key
FMP Computer Services |who needs Windows  |  available at
512-259-1190  |  or Gates"| http://pubkeys.fmp.com
http://www.fmp.com|   |


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9