Non-member posting to the list
Hi, I was configuring a server with Joomla and AcyMailing to send mass emails and then I realized that if I configure the sender address as being one of a non moderated user it could send a message to a list without the non moderated user knows. How can I avoid that? Isn't there any configuration in mailman that prevents messages with forged from headers to be posted to the list?
Thanks.
Rodrigo Abrantes Antunes wrote:
Hi, I was configuring a server with Joomla and AcyMailing to send mass emails and then I realized that if I configure the sender address as being one of a non moderated user it could send a message to a list without the non moderated user knows. How can I avoid that?
See the FAQ at http://wiki.list.org/x/XIA9.
Isn't there any configuration in mailman that prevents messages with forged from headers to be posted to the list?
If I knew how to tell if a header was spoofed, I could do that, but I don't know how to tell; do you?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 2012-11-13 1:52 AM, Mark Sapiro mark@msapiro.net wrote:
If I knew how to tell if a header was spoofed, I could do that, but I don't know how to tell; do you?
Maybe an alternative would be an option that for every message posted to the list, a confirmation email is sent to the members email address, that they then have to click a link to 'approve' sending the message, just like how subscribes/unsubscribes have to confirmed.
Maybe this could even be extended with some kind of way of cahing the source IP of approved messages, so when messages come in with the same sender and from the same IP that has already been approved, those messages go straight through without requiring confirmation?
Not a good option for really high volume lists with lots of members, but for smaller orgs, maybe a viable option?
Just thinking out loud, because this has definitely been a problem on our end (I've even had to set the emergency moderation bit a few times until these idiots stopped spamming the list).
I also just noticed the option under the Privacy > Spam controls in the GUI under 'Legacy anti-spam filters' where I can enter the listname itself, to prevent anyone sending spoofed messages from the list to the list.
Tanstaafl wrote:
Maybe an alternative would be an option that for every message posted to the list, a confirmation email is sent to the members email address, that they then have to click a link to 'approve' sending the message, just like how subscribes/unsubscribes have to confirmed.
That's an interesting idea. Personally, if I enabled that feature on any of my lists, I'd be taken out and shot, and I'd want to do the same to anyone who did it on any list I'm a member of, but if people want such a list configuration option, we could consider it for MM 3.
Maybe this could even be extended with some kind of way of cahing the source IP of approved messages, so when messages come in with the same sender and from the same IP that has already been approved, those messages go straight through without requiring confirmation?
That would help some. Sort of like greylisting with a twist, but I think it would still be unacceptable to many list members.
[...]
I also just noticed the option under the Privacy > Spam controls in the GUI under 'Legacy anti-spam filters' where I can enter the listname itself, to prevent anyone sending spoofed messages from the list to the list.
Yes, and you could also use header_filter_rules for this, but you have bigger problems if the list posting address is a member of the list, so ordinary non_member actions should handle this.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Citando Mark Sapiro mark@msapiro.net:
Tanstaafl wrote: > Maybe an alternative would be an option that for
every message posted tothe list, a confirmation email is sent to the members email address, that they then have to click a link to 'approve' sending the message, just like how subscribes/unsubscribes have to confirmed. That's an interesting idea. Personally, if I enabled that feature on any of my lists, I'd be taken out and shot, and I'd want to do the same to anyone who did it on any list I'm a member of, but if people want such a list configuration option, we could consider it for MM 3.
Maybe this could even be extended with some kind of way of cahing the source IP of approved messages, so when messages come in with the same sender and from the same IP that has already been approved, those messages go straight through without requiring confirmation? That would help some. Sort of like greylisting with a twist, but I think it would still be unacceptable to many list members.
[...] > I also just noticed the option under the Privacy > Spam
controls in theGUI under 'Legacy anti-spam filters' where I can enter the listname itself, to prevent anyone sending spoofed messages from the list to the list. Yes, and you could also use header_filter_rules for this, but you have bigger problems if the list posting address is a member of the list, so ordinary non_member actions should handle this.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/rodrigoantunes%40pelota...
In my case, I found that the return-path header is the address of the original sender, so how could I add a rule in mailman to deny posts with return-path's address that are not members?
On Tue, Nov 13, 2012 at 04:03:32PM -0200, Rodrigo Abrantes Antunes wrote:
In my case, I found that the return-path header is the address of the original sender, so how could I add a rule in mailman to deny posts with return-path's address that are not members?
The envelope-sender can also be spoofed trivially.
If you want to prevent someone from sending email as someone who *is* approved to post to the list, I think your safest bet is to require approval for all posts to the list -- in other words, set the action for posts by moderated members allowed to post to 'hold', and have the moderate bit set even for users who are allowed to post.
w
Will Yardley wrote:
On Tue, Nov 13, 2012 at 04:03:32PM -0200, Rodrigo Abrantes Antunes wrote:
In my case, I found that the return-path header is the address of the original sender, so how could I add a rule in mailman to deny posts with return-path's address that are not members?
The envelope-sender can also be spoofed trivially.
If you want to prevent someone from sending email as someone who *is* approved to post to the list, I think your safest bet is to require approval for all posts to the list -- in other words, set the action for posts by moderated members allowed to post to 'hold', and have the moderate bit set even for users who are allowed to post.
Yes. As indicated in the FAQ I referred to in my original reply, the safe way to do this is to moderate everyone or otherwise arrange for all list posts to be held. Then authorized posts can be sent with an Approved: <password> header or first body line pseudo-header to bypass the hold. <password> is the list admin password, the moderator password or, beginning in Mailman 2.1.15, the special list poster password.
If you are the site admin, you can require that only the envelope sender (the address reflected in Return-Path:) be recognized in determining list membership by putting
SENDER_HEADERS = (None,)
in mm_cfg.py. See the documentation for this setting in Defaults.py.
It would probably also be possible to create a regexp for header_filter_rules that would match only when the Return-Path: address and the From: address were different and to use that to deal with such posts. But, that wouldn't handle the case where both From: and envelope sender were spoofed with the same address.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Tanstaafl writes:
On 2012-11-13 1:52 AM, Mark Sapiro mark@msapiro.net wrote:
If I knew how to tell if a header was spoofed, I could do that, but I don't know how to tell; do you?
Maybe an alternative would be an option that for every message posted to the list, a confirmation email is sent to the members email address,
We already have various challenge-response mechanisms (eg TMDA). They're widely hated even more than spam (eg, I simply drop those correspondents on the floor and add their CR addresses to my killfile in case of inadvertant CCs).
I think the best practical algorithm would look something like the following:
- In the double opt-in process require an email confirmation (not by web). This could also be delayed to first post, but they'll be dealing with the confirmation process in their MUA. This could still be done with a link but it would be a mailto: rather than an http: link.
- Get originator information (From, Sender, envelope sender, and earliest Received, and SPF and DKIM information where available).
- Record the configuration.
- For every post from a member with new originator information, update the member information with a new originator record.
- If spam is received corresponding to an originator record, disable it. This might be automated through the moderation process, or through milters (which one would hope catch most of the spam).
- Analyze originator information and issue a challenge whenever a post claiming to be from a member matches disabled originator information on file. (Definition of "match" is non-trivial and probably necessarily heuristic.) Otherwise approve the post.
- In case of challenge, if an approval response is received, warn the member that their address has been used to spam.
You could try reversing the polarity of step 5, and require confirmation for every new originator record. But that would probably be too annoying. Too many people have multiple locations they post from, even if they use only one address.
that they then have to click a link to 'approve' sending the message, just like how subscribes/unsubscribes have to confirmed.
Maybe this could even be extended with some kind of way of cahing the source IP of approved messages,
I don't think this is an extension, I think it's absolutely necessary.
I also just noticed the option under the Privacy > Spam controls in the GUI under 'Legacy anti-spam filters' where I can enter the listname itself, to prevent anyone sending spoofed messages from the list to the list.
Maybe this should be on by default.
Steve
participants (5)
-
Mark Sapiro -
Rodrigo Abrantes Antunes -
Stephen J. Turnbull -
Tanstaafl -
Will Yardley