[Mailman-Users] Spam got through - how?!

Mark Sapiro mark at msapiro.net
Fri Feb 1 16:31:24 CET 2008 

Dennis Carr wrote:

>OK, so today, I get a spam on the FFML, of which I have included the
>headers below.
>
>My question is simple: how did this happen?  
>
>-Dennis Carr
>
>
>Return-Path: <ffml-bounces
>+dennisthetiger=chez-vrolet.net at chez-vrolet.net> X-Original-To:
>dennisthetiger at chez-vrolet.net Delivered-To:
>dennisthetiger at chez-vrolet.net Received: from kimba.chez-vrolet.net
>(localhost.localdomain [127.0.0.1]) by kimba.chez-vrolet.net (Postfix)
>with ESMTP id EF66234255 for <dennisthetiger at chez-vrolet.net>; Thu, 31
>Jan 2008 13:55:41 -0800 (PST) X-Original-To: ffml at chez-vrolet.net
>Delivered-To: ffml at chez-vrolet.net
>Received: from host86-128-140-151.range86-128.btcentralplus.com
>	(host86-128-140-151.range86-128.btcentralplus.com
>[86.128.140.151]) by kimba.chez-vrolet.net (Postfix) with SMTP id
>CA2C3340E4 for <ffml at chez-vrolet.net>; Thu, 31 Jan 2008 13:55:32 -0800
>(PST) Content-Return: allowed 
>X-Mailer: CME-V6.5.4.3; MSN 
>Received: (qmail 3804 by uid 548); Thu, 31 Jan 2008 09:55:39 GMT
>Message-Id:
><20080131095539.3806.qmail at host86-128-140-151.range86-128.btcentralplus.com>
>To: <ffml at chez-vrolet.net> From: <ffml at chez-vrolet.net>
>MIME-Version: 1.0
>Date: Thu, 31 Jan 2008 13:55:32 -0800 (PST)
>Subject: [FFML] January 77% OFF
>X-BeenThere: ffml at chez-vrolet.net
>X-Mailman-Version: 2.1.9
>Precedence: list
>Reply-To: The Fanfiction Mailing List <ffml at chez-vrolet.net>
>List-Id: The Fanfiction Mailing List <ffml.chez-vrolet.net>
>List-Unsubscribe:
><http://www.chez-vrolet.net/cgi-bin/mailman/listinfo/ffml>,
><mailto:ffml-request at chez-vrolet.net?subject=unsubscribe> List-Archive:
><http://www.chez-vrolet.net/pipermail/ffml> List-Post:
><mailto:ffml at chez-vrolet.net> List-Help:
><mailto:ffml-request at chez-vrolet.net?subject=help> List-Subscribe:
><http://www.chez-vrolet.net/cgi-bin/mailman/listinfo/ffml>,
><mailto:ffml-request at chez-vrolet.net?subject=subscribe> Content-Type:
>text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
>Sender: ffml-bounces+dennisthetiger=chez-vrolet.net at chez-vrolet.net
>Errors-To: ffml-bounces+dennisthetiger=chez-vrolet.net at chez-vrolet.net
>X-UIDL: WNh"!l8@"!3Z5!!eGm!!
>Status: RO


Your MUA has wrapped these headers almost beyond recognition, but I
think the important one is

From: <ffml at chez-vrolet.net>

The sender of the spam has spoofed the list address that it sent the
mail to in the From: header.

Does the list accept mail from the list address. I.e. is
ffml at chez-vrolet.net or a pattern matching ffml at chez-vrolet.net in
accept_these_nonmembers? Or is ffml at chez-vrolet.net a list member
(hopefully with delivery disabled)?

If not, it is possible, that the address of a list member was the
envelope sender or in a Sender: header in the original message. You
can find the message in the archives/private/ffml.mbox/ffml.mbox file
and look at the From_ line and Sender: header if any to see these. You
can also find the envelope sender in the Postfix log entry for the
original delivery to Mailman (probably /var/log/maillog).

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list