[Mailman-Users] non-subscriber managed to post to a subscriberonly list

Lindsay Haisley fmouse-mailman at fmp.com
Mon Jan 26 23:38:54 CET 2009

On Mon, 2009-01-26 at 15:26 -0700, Steve Lindemann wrote:
> Thanks! Got it!  They spoofed a legitimate list member on the 
> Return-Path:, which also showed up on the first ("From ") message header 
> line.

Both of these reflect the envelope sender address used in the SMTP
dialog with the mail server.

> I don't suppose there's anything we can do about this other than change 
> that particular user's email address... is there?

You can restrict the set of headers used to identify subscribers using
the SENDER_HEADERS variable in mm_cfg.py, as Mark indicated.  By default
(in Defaults.py) this is:

SENDER_HEADERS = ('from', None, 'reply-to', 'sender')

You can eliminate the envelope sender address from the mix by setting
this simply to:

SENDER_HEADERS = ('from', 'reply-to')

or drop 'reply-to' if you want to be even more restrictive.

Lindsay Haisley       |"Fighting against human |     PGP public key
FMP Computer Services |   creativity is like   |      available at
512-259-1190          |   trying to eradicate  |<http://pubkeys.fmp.com>
http://www.fmp.com    |       dandelions"      |
                      |     (Pamela Jones)     |

More information about the Mailman-Users mailing list