[Bug 1721746] [NEW] [If member-email known] Malformed "From:" header accepted -> anyone can post to list.
![](https://secure.gravatar.com/avatar/bed862fc5aa44adfb6ca56ca6086bee5.jpg?s=120&d=mm&r=g)
*** This bug is a security vulnerability *** Private security bug reported: Hello, because we got some spam from outside, but with email-adress of a list- member lately, we found after an investigation that the E-Mail Header From: "memberuseremail@" <memberuserdomain.tld somerandomspamemail.tld> will be accepted by mailman and posted to the list. So if the spammer knows a valid member-emailadress it is possible to send emails to the list. I don't know if this is fixed already and i have to poke the ubuntu team instead. Versions: Ubuntu 16.04 LTS Mailman Version: 1:2.1.20-1ubuntu0.1 Postfix Version: 3.1.0-3 ** Affects: mailman Importance: Undecided Status: New ** Tags: email sender -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1721746 Title: [If member-email known] Malformed "From:" header accepted -> anyone can post to list. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1721746/+subscriptions
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1721746 Title: [If member-email known] Malformed "From:" header accepted -> anyone can post to list. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1721746/+subscriptions
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
This is not a security issue in Mailman. Yes it is possible to spoof a list member's address in various headers to cause a post to be accepted by a list, but there's nothing Mailman or any list management software can do about that short of moderating all members. Also, see <https://mail.python.org/pipermail/mailman- users/2017-October/082558.html>, <https://wiki.list.org/x/4030556> and the "How to post to the announcement list:" section at <https://wiki.list.org/x/4030685>. ** Changed in: mailman Status: New => Invalid -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1721746 Title: [If member-email known] Malformed "From:" header accepted -> anyone can post to list. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1721746/+subscriptions
participants (2)
-
Mark Sapiro
-
René Freund