[Mailman-Users] non-subscriber managed to post to a subscriber only list

[Lindsay Haisley]

Is it possible that the list mod or admin password got out?  I believe
than anyone can post to a moderated list by putting an "Approved:
<password>" header or pseudo-header in a post.

On Mon, 2009-01-26 at 13:40 -0700, Steve Lindemann wrote:
> Had something strange occur early Saturday morning.  A non-subscriber 
> managed to successfully post to two member only lists (and, of course, 
> it was spam).
> 
> The bogus sender (thelevisstoreonline at levis.rsys1.com) is not a member 
> of these member only lists and is not in the accept_these_nonmembers 
> filter.  Other non-member posts are being caught and sent to moderation. 
>   Is there something else that I should be looking at?
> 
> I checked the logs and the sender sent to 5 of our hosted lists.  They 
> were caught (per the vette log) by 3 of those lists as a non-member, but 
> posted successfully to the other 2 lists (per smtp and post logs).
> 
> I've checked the docs and faqs and haven't found a reference for 
> something like this.  I've checked all the logs and the configs (via the 
> web interface) on the two lists that posted allowed the post.  I can't 
> find any reason for it and have to wonder if I'm checking everything. 
> I've looked thru everything that makes sense and much that doesn't.  If 
> I had hair I'd be pulling it out!

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |