[Mailman-Developers] Mailing lists exploited

Jonathan Knight j.knight at keele.ac.uk
Tue May 16 04:29:12 EDT 2017 

Mark is right.

The spamming process was to scrape the listinfo page and locate the "list
is run by" line and then de-obfuscate the "j.knight at keele.ac.uk" into "
j.knight at keele.ac.uk".  Then an email was faked using j.knight at keele.ac.uk
as the sender to see if the list is either unmoderated or whether the
administrator had set their own email address as unmoderated on a moderated
list.

There's not a lot that can be done to protect against that other than
changing the "list is run by" so that the administrators real email address
isn't obvious.

Jon.


On 15 May 2017 at 23:19, Barry Warsaw <barry at list.org> wrote:

> On May 15, 2017, at 11:03 AM, Mark Sapiro wrote:
>
> >It's not done in Mailman 3.
> >
> >For mailman 2.1, the administrator email addresses are a mailto: link the
> >goes to the LISTNAME-owner address, but the email addresses are exposed
> and
> >only mildly obfuscated ('@' -> ' at ').
> >
> >I would consider adding a configuration option to either obfuscate the
> >addresses further (e.g. drop the domain entirely) or replace the text with
> >something like "Listname list run by listname-owner at example.com".
>
> I'm a little confused by the OP.  Is it:
>
> 1) A message to the posting address From: LISTNAME-owner at example.com is
> not
> being moderated?  I would expect it to be since that address is not a
> member
> of the list.
>
> 2) Emailing To: LISTNAME-owner at example.com directly which would end up
> spamming the list owners?
>
> MM3 doesn't currently moderate messages sent to the list owners, but it
> could.  Messages to -owners flows through a different, shorter chain of
> rules
> and pipeline, but I've always thought that that would be configurable.
>
> -Barry
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> https://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives: http://www.mail-archive.com/
> mailman-developers%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-
> developers/j.knight%40keele.ac.uk
>
> Security Policy: http://wiki.list.org/x/QIA9
>



-- 
Jonathan Knight
IT Services
Keele University

More information about the Mailman-Developers mailing list