[Mailman-Users] List security: approved line got mailed out to listusers
Jacob Sam-La Rose
jacob at metaroar.com
Fri Jan 26 23:59:27 CET 2007
Thanks for the response, Mark. I'm only just getting used to the
concept of community via mailing list (I'm more used to user forums...!)
On 26 Jan 2007, at 19:00, Mark Sapiro wrote:
> Jacob Sam-La Rose wrote:
>>
>> I've got my list configured as an announcement-only list, and the
>> first few mailings I've sent have gone through exactly as planned. I
>> use "Approved: password" as the first line to approve mailings. I
>> inadvertently sent email to the list from one of my other email
>> addresses, and when the message went out, the Approved: line was
>> there, intact. There was a space above it, if that means anything
>> (the sent email doesn't have that space...)
>
>
> What Mailman version is this?
>
2.1.9.cp2
> Do you have a copy of the message from the list - complete with all
> headers? If nothing else, if the list is archived, this copy will be
> in archives/private/listname.mbox/listname.mbox.
Headers:
Subject: FYI (important): any email to / Jacob this morning...
Date: 26 January 2007 11:00:05 GMT
To: fyi at metaroar.com
Return-Path: <yosafa at mrfriendly.asmallorange.com>
Envelope-To: jacob at jsamlarose.com
Delivery-Date: Fri, 26 Jan 2007 06:03:20 -0500
Received: from yosafa by mrfriendly.asmallorange.com with local-
bsmtp (Exim 4.63) (envelope-from
<yosafa at mrfriendly.asmallorange.com>) id 1HAOrV-0000z6-3K for
jacob at jsamlarose.com; Fri, 26 Jan 2007 06:03:20 -0500
Received: from hypnotoad.liquidweb.com ([72.52.133.24]:50358) by
mrfriendly.asmallorange.com with esmtps (TLSv1:AES256-SHA:256) (Exim
4.63) (envelope-from <fyi-bounces at metaroar.com>) id 1HAOrU-0000xz-PZ
for jacob at jsamlarose.com; Fri, 26 Jan 2007 06:03:16 -0500
Received: from localhost ([127.0.0.1]:50149
helo=hypnotoad.liquidweb.com) by hypnotoad.liquidweb.com with esmtp
(Exim 4.63) (envelope-from <fyi-bounces at metaroar.com>) id
1HAOoT-00032t-0j; Fri, 26 Jan 2007 06:00:09 -0500
Received: from [81.103.209.178] (port=56306) by
hypnotoad.liquidweb.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim
4.63) (envelope-from <jacob at metaroar.com>) id 1HAOoR-00032U-85 for
fyi at metaroar.com; Fri, 26 Jan 2007 06:00:07 -0500
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
mrfriendly.asmallorange.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=7.0 tests=AWL,HTML_MESSAGE
autolearn=ham version=3.1.7
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <68175EC0-1B93-4673-AD2D-2188F7E0DE29 at metaroar.com>
X-Mailer: Apple Mail (2.752.2)
X-Clamantivirus-Scanner: This mail is clean
X-Clamantivirus-Scanner: This mail is clean
X-Beenthere: fyi at metaroar.com
X-Mailman-Version: 2.1.9.cp2
Precedence: list
List-Id: "Everything you wanted to know about poetry, but didn't
know who to ask..." <fyi_metaroar.com.metaroar.com>
List-Unsubscribe: <http://metaroar.com/mailman/listinfo/
fyi_metaroar.com>, <mailto:fyi-request at metaroar.com?subject=unsubscribe>
List-Archive: <http://metaroar.com/pipermail/fyi_metaroar.com>
List-Post: <mailto:fyi at metaroar.com>
List-Help: <mailto:fyi-request at metaroar.com?subject=help>
List-Subscribe: <http://metaroar.com/mailman/listinfo/
fyi_metaroar.com>, <mailto:fyi-request at metaroar.com?subject=subscribe>
Content-Type: multipart/mixed;
boundary="===============2746362320716674074=="
Errors-To: fyi-bounces at metaroar.com
X-Antiabuse: This header was added to track abuse, please include
it with any abuse report
X-Antiabuse: Primary Hostname - hypnotoad.liquidweb.com
X-Antiabuse: Original Domain - jsamlarose.com
X-Antiabuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-Antiabuse: Sender Address Domain - metaroar.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Antivirus-Scanner: Clean mail though you should still use an
Antivirus
Do you need to see the body of the email?
>
> How did the message get sent to the list? Was it held and manually
> approved (a clue that something was wrong with Approved:).
Sent as email straight to the list - didn't have to be manually
approved - it went straight through.
>
> Was the Approved: line that went to the list in the first text/plain
> part of the message or was it in a subsequent part, e.g. an HTML
> alternative part.
It was in the first text/plain part - though in the sent version I've
got of the mail, the Approved: line is the very first line. Once it
went through the list, there was a line space at the top of the
email, before the Approved: line...
>
> Approved: body lines must be the first non-blank line in the first
> text/plain part of the message. If found there, they will be removed.
> Beginning in Mailman 2.1.7, an attempt is made to remove the approved
> line from other parts of the message, but it must first be found in
> the first text/plain part, and this removal from other parts isn't
> perfect.
>
> So, based on what little I have to go on so far, I will guess that the
> message you sent to the list was multipart/alternative with text/plain
> and text/html alternative parts and the Approved: line was found in
> and removed from the text/plain part and the message was accepted, but
> either because this is Mailman prior to 2.1.7 or because of something
> unusual about the way the Approved: line appeared in the html part, it
> wasn't removed from that part and that's where people saw it.
Headers say multipart/mixed... Anything else this could be?
>
> --
> Mark Sapiro <msapiro at value.net> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
>
Jacob Sam-La Rose
Executive Editor
"FYI" / Metaroar.com
More information about the Mailman-Users
mailing list