At Tue, 24 Jan 2023 14:00:01 +0100 "Thomas F. Holz" <tfh@Seelen.Theater> wrote:
Hello to the round. Unfortunately I could not find a better place for my questions, nor did I find any answers within the docs or by Google. So here it is. The questions refer to Mailman 2.1.23.
If I know the address of a list member and the address of the mailing list, I seem to be allowed to write in the list in his place. Is this correct?
It seems to me that this is possible in at least two ways with the lists I am responsible for, and I don't like that:
1)--- First, I can fake the sender address. If the original sender address and mail with the forgery are sent from the same domain, then this is not prevented by the MTA (SPF/DKIM check), is it?
Depends on MTA settings.
With freemailers like gmail, web.de, gmx etc. this doesn't seem so impossible to me (i.e. that listmember and bad guy write from the same domain).
Some of these mailers might not let someone randomly message with the From: header. Most often the spoofers are NOT actually using legit free e-mail services to send spoofed e-mail, but are instead doing things like connecting directly to you inbound MTA from their laptop (or from hacked PCs). In either case the HELO command and/or the Received: header will identify this and this cab be checked, either by the inbound MTA or by Mailman (add a spam filter checking the Received: header for bad IP addresses.
2)--- Second, even more strange to me: If I write to the mailing list from a valid address (which is NOT a member of the mailing list), and specify a "return-to" in the header with a listmember's address, then that gets waved through to my mailing list as well. My mailman lists here seem to ignore the "From" address completely then.
This is strange.
In this case, it doesn't even matter which domain the bad guy writes from, as long as the return address stands up to the usual checks (SPF/DKIM/DMARC).
Have I understood this correctly? And if this is as described, how can I prevent this?
You need some spam filtering designed to catch this.
Background: I have inherited a larger Sendmail server and several dozen Mailman lists. Unfortunately, migration to Mailman3 is not an option (at least in the foreseeable future). So I have to live with the given - and annoy others with stupid questions from time to time. Sorry for that.
In advance with thanks and greetings from Germany, Thomas
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
-- Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services