[Mailman-Users] Detecting mail with multiple From: lines
mark at msapiro.net
Sat May 21 06:55:30 CEST 2011
Jay A. Sekora wrote:
>Hi. I had been noting with trepidation the recent rise in spam mail
>with multiple spoofed From: lines, e.g.,
>From: me at example.net
>From: you at example.net
>From: list at example.net
>To: list at example.net
>since that drastically increases the chances of any given spam message
>having a spoofed From: line that matches a list member. Recently, one
>of our lists (running Mailman 2.1.11 from Debian packages) actually got
>hit with a bunch of spam like that.
>That particular list actually had (the equivalent of)
>"list at example.net", among other addresses, in discard_these_nonmembers,
>but that didn't actually have any effect. (None of the spoofed from
>addresses were in accept_these_nonmembers .) So I am guessing that when
>it gets mail with multiple From: addresses (or maybe just with multiple
>From: headers on separate lines), Mailman is doing some sort of header
>canonicalization that breaks discard_these_nonmembers. (I will note
>that the list address was listed as a string, not a regex.)
>So my question is twofold:
>(1) Is there a way, within Mailman 2.1.11 itself, I can test whether a
>message has multiple *senders*, and hold for moderation or discard based
>on that? (I'd be happy either catching anything with multiple From:
>lines, or if all the possible places Mailman looks for a sender are
>conflated, anything with more than two or three different senders.)
First let me give some background detail. Mailman implements two
different email message methods for determining the sender of an
email, Thes methods are called get_sender() and get_senders(). By
default, get_senders() returns a list of all the addresses found in
any From: headers, the 'unix from' or envelope sender, and any
Reply-To: or Sender: headers in that order. This can be changed by the
mm_cfg.py setting SENDER_HEADERS.
The get_sender() method returns the first address found in a From: or
Sender: header or the 'unix from' in that order (by default, although
the mm_cfg.py setting USE_ENVELOPE SENDER if true changes the order to
Sender:, From:, 'unix from').
Tests for list membership, i.e. is this post from a member; is this
member moderated, test all addresses returned by get_senders() and use
the first address that matches a member, if any.
Tests for *_these_nonmembers use the address returned by get_sender()
which by default at least is the first address from the first From:
This is part of why *_these_nonmembers doesn't hit, but if one of the
From: headers is a member, the post will be considered a member post
and *_these_nonmembers will not be consulted at all.
To answer your question, put a regexp like
in Privacy options... -> Spam filters -> header_filter_rules. These
regexps are searched in IGNORECASE and MULTILINE mode. The (?s) will
set DOTALL (dot matches all) mode as well. Your regexp will be
searched for in a string consisting of all the message headers and
will catch multiple From: headers. Give that rule an appropriate
action and you're set.
>(2) Is there a way I can make discard_these_nonmembers and/or
>hold_these_nonmembers work with from addresses in these sorts of
>messages? (Maybe Mailman concatenates all the sender addresses and I
>therefore need to use a regular expression, for instance?)
As I discuss above, no.
>Thanks in advance!
>PS -- In case its relevant, all our list mail is forwarded via aliases
>from the published address to an address handled by the Mailman server,
>so doing stuff at SMTP time is more complicated than it would otherwise
>be. I wouldn't mind advice for dealing with this stuff in Exim as well,
>if anybody happens to have some handy, but we *do* have (a small amount
>of) legitimate mail that has multiple From: headers. I know how to
>score this stuff higher in SpamAssassin, but given various peculiarities
>I'd really like to know how to do it in Mailman as well.
Short of a custom handler, I think header_filter_rules is the way to go.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users