how did spam message get through a moderated list?
Recently a spam message came in to four lists I administer. The email was writtenlike this: firstmlast <user@example.com>.
I recognized the real name, because First M. Last, is someone I know and is subscribed to all the lists. However, the "user@example.com" was totally foreign. So spam.
Three of the lists automatically discarded the email, as I have configured them to do, and sent me an notification about it. But the fourth list sent it through, even though user@example.com was not subscribed to the list, and I have generic_nonmember_action set to Discard.
For the life of me, I cannot figure out how/why this email got through. I have set the list to emergency moderation for now, but I'd like to know how it got through in the first place.
I did a config dump and vimdiff across the 3 lists, apart from the list names, signatures, and two minor fields (max_num_recipients, and admin_member_chunksize), they are all identical.
In, /usr/local/mailman/logs/post, I see this for the message:
Jun 26 03:48:40 2019 (1052) post to listname from user@example.com, size=6065, message-id <xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxxxx-xxxxxxxx>, success
For the other 3 lists, I see this in /usr/local/mailman/logs/vette:
Jun 26 03:48:31 2019 (1050) Message discarded, msgid: <xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxxxx-xxxxxxxx>' list: list1, handler: Moderate Jun 26 03:48:51 2019 (1050) Message discarded, msgid: <xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxxxx-xxxxxxxx>' list: list2, handler: Moderate Jun 26 03:50:22 2019 (1050) Message discarded, msgid: <xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxxxx-xxxxxxxx>' list: list3, handler: Moderate
Does anyone know why the message to the fourth list went through?
On 6/26/19 2:36 PM, Aleksandr Miroslav wrote:
Three of the lists automatically discarded the email, as I have configured them to do, and sent me an notification about it. But the fourth list sent it through, even though user@example.com was not subscribed to the list, and I have generic_nonmember_action set to Discard.
For the life of me, I cannot figure out how/why this email got through. I have set the list to emergency moderation for now, but I'd like to know how it got through in the first place.
Mailman looks at more than the From: header to determine if the message is from a list member. From Defaults.py
# Membership tests for posting purposes are usually performed by looking at a # set of headers, passing the test if any of their values match a member of # the list. Headers are checked in the order given in this variable. The # value None means use the From_ (envelope sender) header. Field names are # case insensitive. SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
It may or may not be possible to determine from looking at the received post what all these values were in the incoming message as Reply-To: may have been munged based on list settings and the envelope sender and Sender: headers will have been rewritten to the list-bounces address, but if you have access, you can determine the envelope sender from the system MTA logs.
In any case, I'm sure the message was accepted because one of the envelope sender, Reply-To: or Sender: had a list member address.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Aleksandr Miroslav -
Mark Sapiro