[Mailman-Users] Detecting mail with multiple From: lines

Jay A. Sekora jsekora at csail.mit.edu
Fri May 20 19:09:24 CEST 2011

Hi.  I had been noting with trepidation the recent rise in spam mail
with multiple spoofed From: lines, e.g.,

From: me at example.net
From: you at example.net
From: list at example.net
To: list at example.net

since that drastically increases the chances of any given spam message
having a spoofed From: line that matches a list member.  Recently, one
of our lists (running Mailman 2.1.11 from Debian packages) actually got
hit with a bunch of spam like that.

That particular list actually had (the equivalent of)
"list at example.net", among other addresses, in discard_these_nonmembers,
but that didn't actually have any effect.  (None of the spoofed from
addresses were in accept_these_nonmembers .)  So I am guessing that when
it gets mail with multiple From: addresses (or maybe just with multiple
From: headers on separate lines), Mailman is doing some sort of header
canonicalization that breaks discard_these_nonmembers.  (I will note
that the list address was listed as a string, not a regex.)

So my question is twofold:

(1) Is there a way, within Mailman 2.1.11 itself, I can test whether a
message has multiple *senders*, and hold for moderation or discard based
on that?  (I'd be happy either catching anything with multiple From:
lines, or if all the possible places Mailman looks for a sender are
conflated, anything with more than two or three different senders.)

(2) Is there a way I can make discard_these_nonmembers and/or
hold_these_nonmembers work with from addresses in these sorts of
messages?  (Maybe Mailman concatenates all the sender addresses and I
therefore need to use a regular expression, for instance?)

Thanks in advance!


PS -- In case its relevant, all our list mail is forwarded via aliases
from the published address to an address handled by the Mailman server,
so doing stuff at SMTP time is more complicated than it would otherwise
be.  I wouldn't mind advice for dealing with this stuff in Exim as well,
if anybody happens to have some handy, but we *do* have (a small amount
of) legitimate mail that has multiple From: headers.  I know how to
score this stuff higher in SpamAssassin, but given various peculiarities
I'd really like to know how to do it in Mailman as well.

More information about the Mailman-Users mailing list