Question: If the list name and a member address are known, can foreign mails be channeled into the list?
Hello to the round. Unfortunately I could not find a better place for my questions, nor did I find any answers within the docs or by Google. So here it is. The questions refer to Mailman 2.1.23.
If I know the address of a list member and the address of the mailing list, I seem to be allowed to write in the list in his place. Is this correct?
It seems to me that this is possible in at least two ways with the lists I am responsible for, and I don't like that:
1)--- First, I can fake the sender address. If the original sender address and mail with the forgery are sent from the same domain, then this is not prevented by the MTA (SPF/DKIM check), is it? With freemailers like gmail, web.de, gmx etc. this doesn't seem so impossible to me (i.e. that listmember and bad guy write from the same domain).
2)--- Second, even more strange to me: If I write to the mailing list from a valid address (which is NOT a member of the mailing list), and specify a "return-to" in the header with a listmember's address, then that gets waved through to my mailing list as well. My mailman lists here seem to ignore the "From" address completely then. In this case, it doesn't even matter which domain the bad guy writes from, as long as the return address stands up to the usual checks (SPF/DKIM/DMARC).
Have I understood this correctly? And if this is as described, how can I prevent this?
Background: I have inherited a larger Sendmail server and several dozen Mailman lists. Unfortunately, migration to Mailman3 is not an option (at least in the foreseeable future). So I have to live with the given - and annoy others with stupid questions from time to time. Sorry for that.
In advance with thanks and greetings from Germany, Thomas
At Tue, 24 Jan 2023 14:00:01 +0100 "Thomas F. Holz" <tfh@Seelen.Theater> wrote:
Hello to the round. Unfortunately I could not find a better place for my questions, nor did I find any answers within the docs or by Google. So here it is. The questions refer to Mailman 2.1.23.
If I know the address of a list member and the address of the mailing list, I seem to be allowed to write in the list in his place. Is this correct?
It seems to me that this is possible in at least two ways with the lists I am responsible for, and I don't like that:
1)--- First, I can fake the sender address. If the original sender address and mail with the forgery are sent from the same domain, then this is not prevented by the MTA (SPF/DKIM check), is it?
Depends on MTA settings.
With freemailers like gmail, web.de, gmx etc. this doesn't seem so impossible to me (i.e. that listmember and bad guy write from the same domain).
Some of these mailers might not let someone randomly message with the From: header. Most often the spoofers are NOT actually using legit free e-mail services to send spoofed e-mail, but are instead doing things like connecting directly to you inbound MTA from their laptop (or from hacked PCs). In either case the HELO command and/or the Received: header will identify this and this cab be checked, either by the inbound MTA or by Mailman (add a spam filter checking the Received: header for bad IP addresses.
2)--- Second, even more strange to me: If I write to the mailing list from a valid address (which is NOT a member of the mailing list), and specify a "return-to" in the header with a listmember's address, then that gets waved through to my mailing list as well. My mailman lists here seem to ignore the "From" address completely then.
This is strange.
In this case, it doesn't even matter which domain the bad guy writes from, as long as the return address stands up to the usual checks (SPF/DKIM/DMARC).
Have I understood this correctly? And if this is as described, how can I prevent this?
You need some spam filtering designed to catch this.
Background: I have inherited a larger Sendmail server and several dozen Mailman lists. Unfortunately, migration to Mailman3 is not an option (at least in the foreseeable future). So I have to live with the given - and annoy others with stupid questions from time to time. Sorry for that.
In advance with thanks and greetings from Germany, Thomas
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
-- Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services
Thomas F. Holz writes:
If I know the address of a list member and the address of the mailing list, I seem to be allowed to write in the list in his place. Is this correct?
Yes, as far as Mailman 2 goes. Mailman 2 doesn't know anything about a user except their address. Mailman 3 knows a little bit more, but Mailman doesn't know how to authenticate posters by digital signatures (and you probably don't want to put your subscribers through that pain, either).
1)--- First, I can fake the sender address. If the original sender address and mail with the forgery are sent from the same domain, then this is not prevented by the MTA (SPF/DKIM check), is it?
Not by standard MTAs, which only make the appropriate check if the sending domain has set a restrictive DMARC policy. But you should be able to create an MTA or spam filter rule that checks for from alignment yourself.
With freemailers like gmail, web.de, gmx etc. this doesn't seem so impossible to me (i.e. that listmember and bad guy write from the same domain).
That won't work from gmail. Gmail will only allow you to send From an address if you can prove you own it, either by using it to log in to Gmail, or by reading a one-time token from that mailbox and sending it back to Gmail. I can't speak for the other freemailers, but I imagine they work the same. And if you send it from somewhere else, it won't have Gmail's DKIM, so from alignment will fail.
If I write to the mailing list from a valid address (which is NOT a member of the mailing list), and specify a "return-to" in the header with a listmember's address, then that gets waved through to my mailing list as well. My mailman lists here seem to ignore the "From" address completely then.
That is configurable on a sitewide basis. Add the SENDER_HEADERS variable to mm_cfg.py, and change it to ('from') or ('from', None).
# Membership tests for posting purposes are usually performed by looking at a # set of headers, passing the test if any of their values match a member of # the list. Headers are checked in the order given in this variable. The # value None means use the From_ (envelope sender) header. Field names are # case insensitive. SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
Have I understood this correctly?
Not 100%, but basically so.
And if this is as described, how can I prevent this?
- In practice, as long as you do normal content-based spam filtering, this seems to mostly be a theoretical problem even if you do nothing special about checking senders. Maybe you (or your users) have nastier than usual enemies though, you have to decide that.
- For a little more security and transparency, remove reply-to and sender from SENDER_HEADERS. This will inconvenience some user occasionally, but it should be rare in most user populations. It won't stop spoofing, but it will be easy to see it and the victims will complain. This may do the trick depending on what the goal of the spoof is (and if the spoofer is a a bot).
- For maximum security with little inconvenience to users, have your MTA check for From alignment. You can either reject on that basis (which will inconvenience some users substantially, I suspect) or you can have the MTA add a header to the message, and have Mailman hold the mail for human moderation if alignment fails. It would also be possible to have Mailman do this but it's more efficient to have the MTA do it.
I believe some users in the past have mentioned 3rd-party patches to check user's digital signatures, but that's quite compute-intensive, and requires that you teach your users to sign their own email. I'm pretty sure they won't like that. ;-)
Steve
participants (3)
-
Robert Heller
-
Stephen J. Turnbull
-
Thomas F. Holz