[Mailman-Users] List security: approved line got mailed out to listusers

Jacob Sam-La Rose jacob at metaroar.com
Fri Jan 26 23:59:27 CET 2007 

Thanks for the response, Mark. I'm only just getting used to the  
concept of community via mailing list (I'm more used to user forums...!)

On 26 Jan 2007, at 19:00, Mark Sapiro wrote:

> Jacob Sam-La Rose wrote:
>>
>> I've got my list configured as an announcement-only list, and the
>> first few mailings I've sent have gone through exactly as planned.  I
>> use "Approved: password" as the first line to approve mailings.  I
>> inadvertently sent email to the list from one of my other email
>> addresses, and when the message went out, the Approved: line was
>> there, intact.  There was a space above it, if that means anything
>> (the sent email doesn't have that space...)
>
>
> What Mailman version is this?
>

2.1.9.cp2

> Do you have a copy of the message from the list - complete with all
> headers? If nothing else, if the list is archived, this copy will be
> in archives/private/listname.mbox/listname.mbox.

Headers:

Subject: 	FYI (important): any email to  / Jacob this morning...
	Date: 	26 January 2007 11:00:05 GMT
	To: 	  fyi at metaroar.com
	Return-Path: 	<yosafa at mrfriendly.asmallorange.com>
	Envelope-To: 	jacob at jsamlarose.com
	Delivery-Date: 	Fri, 26 Jan 2007 06:03:20 -0500
	Received: 	from yosafa by mrfriendly.asmallorange.com with local- 
bsmtp (Exim 4.63) (envelope-from  
<yosafa at mrfriendly.asmallorange.com>) id 1HAOrV-0000z6-3K for  
jacob at jsamlarose.com; Fri, 26 Jan 2007 06:03:20 -0500
	Received: 	from hypnotoad.liquidweb.com ([72.52.133.24]:50358) by  
mrfriendly.asmallorange.com with esmtps (TLSv1:AES256-SHA:256) (Exim  
4.63) (envelope-from <fyi-bounces at metaroar.com>) id 1HAOrU-0000xz-PZ  
for jacob at jsamlarose.com; Fri, 26 Jan 2007 06:03:16 -0500
	Received: 	from localhost ([127.0.0.1]:50149  
helo=hypnotoad.liquidweb.com) by hypnotoad.liquidweb.com with esmtp  
(Exim 4.63) (envelope-from <fyi-bounces at metaroar.com>) id  
1HAOoT-00032t-0j; Fri, 26 Jan 2007 06:00:09 -0500
	Received: 	from [81.103.209.178] (port=56306) by  
hypnotoad.liquidweb.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim  
4.63) (envelope-from <jacob at metaroar.com>) id 1HAOoR-00032U-85 for  
fyi at metaroar.com; Fri, 26 Jan 2007 06:00:07 -0500
	X-Spam-Checker-Version: 	SpamAssassin 3.1.7 (2006-10-05) on   
mrfriendly.asmallorange.com
	X-Spam-Level: 	
	X-Spam-Status: 	No, score=0.0 required=7.0 tests=AWL,HTML_MESSAGE   
autolearn=ham version=3.1.7
	Mime-Version: 	1.0 (Apple Message framework v752.2)
	Message-Id: 	<68175EC0-1B93-4673-AD2D-2188F7E0DE29 at metaroar.com>
	X-Mailer: 	Apple Mail (2.752.2)
	X-Clamantivirus-Scanner: 	This mail is clean
	X-Clamantivirus-Scanner: 	This mail is clean
	X-Beenthere: 	fyi at metaroar.com
	X-Mailman-Version: 	2.1.9.cp2
	Precedence: 	list
	List-Id: 	"Everything you wanted to know about poetry, but didn't  
know who to ask..." <fyi_metaroar.com.metaroar.com>
	List-Unsubscribe: 	<http://metaroar.com/mailman/listinfo/ 
fyi_metaroar.com>, <mailto:fyi-request at metaroar.com?subject=unsubscribe>
	List-Archive: 	<http://metaroar.com/pipermail/fyi_metaroar.com>
	List-Post: 	<mailto:fyi at metaroar.com>
	List-Help: 	<mailto:fyi-request at metaroar.com?subject=help>
	List-Subscribe: 	<http://metaroar.com/mailman/listinfo/ 
fyi_metaroar.com>, <mailto:fyi-request at metaroar.com?subject=subscribe>
	Content-Type: 	multipart/mixed;  
boundary="===============2746362320716674074=="
	Errors-To: 	fyi-bounces at metaroar.com
	X-Antiabuse: 	This header was added to track abuse, please include  
it with any abuse report
	X-Antiabuse: 	Primary Hostname - hypnotoad.liquidweb.com
	X-Antiabuse: 	Original Domain - jsamlarose.com
	X-Antiabuse: 	Originator/Caller UID/GID - [0 0] / [47 12]
	X-Antiabuse: 	Sender Address Domain - metaroar.com
	X-Source: 	
	X-Source-Args: 	
	X-Source-Dir: 	
	X-Antivirus-Scanner: 	Clean mail though you should still use an  
Antivirus

Do you need to see the body of the email?

>
> How did the message get sent to the list? Was it held and manually
> approved (a clue that something was wrong with Approved:).

Sent as email straight to the list - didn't have to be manually  
approved - it went straight through.

>
> Was the Approved: line that went to the list in the first text/plain
> part of the message or was it in a subsequent part, e.g. an HTML
> alternative part.

It was in the first text/plain part - though in the sent version I've  
got of the mail, the Approved: line is the very first line.  Once it  
went through the list, there was a line space at the top of the  
email, before the Approved: line...

>
> Approved: body lines must be the first non-blank line in the first
> text/plain part of the message. If found there, they will be removed.
> Beginning in Mailman 2.1.7, an attempt is made to remove the approved
> line from other parts of the message, but it must first be found in
> the first text/plain part, and this removal from other parts isn't
> perfect.
>
> So, based on what little I have to go on so far, I will guess that the
> message you sent to the list was multipart/alternative with text/plain
> and text/html alternative parts and the Approved: line was found in
> and removed from the text/plain part and the message was accepted, but
> either because this is Mailman prior to 2.1.7 or because of something
> unusual about the way the Approved: line appeared in the html part, it
> wasn't removed from that part and that's where people saw it.

Headers say multipart/mixed...  Anything else this could be?

>
> -- 
> Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>

Jacob Sam-La Rose
Executive Editor
"FYI" / Metaroar.com

More information about the Mailman-Users mailing list