[Mailman-Users] strange problem

Bruce Harrison harrison at utm.edu
Thu Mar 14 20:21:53 CET 2013 

Stephen,

Thanks for a good, detailed explanation.  Our one remaining Barracuda boxes is an outgoing mail filter, used mainly to keep a "bad" users or malware from spamming from a utm.edu address.    We'll be moving to FOPE with Microsoft in the future (currently does our in-bound mail filtering).
In Outlook, you can open a mail message, then have it display the actual headers.  When looking at a "Sent" message, there are no headers at all.  Appears to me it just shows what's in the text, including the To:, From:, etc.  no real mail headers we can find.
I don't know why the headers are repeated... I'm copying our Exchange guy on this note, he may have some ideas.

My mailman box, uses it's own localhost SMTP agent to handle it's mail.  SMTP then connects to our main incoming mail host (mx1.utm.edu or xmail.utm.edu).  The CAS boxes are of course the CAS servers for Exchange.

I realize my info is somewhat incomplete.  The next time it happens, I’m going to try and track it from start to finish, etc.
We'll see what happens...

Bruce
UTM

-----Original Message-----
From: Stephen J. Turnbull [mailto:stephen at xemacs.org] 
Sent: Thursday, March 14, 2013 2:09 PM
To: Bruce Harrison
Cc: Mark Sapiro; mailman-users at python.org
Subject: Re: [Mailman-Users] strange problem

I see the conversation has continued as I wrote.  I'll try to avoid duplication, but it would be a mess to rewrite the whole thing.

Bruce Harrison writes:

 > OK, there are no headers in the Sent folder as the mail message  > gets copied in there before it goes thru the mail systems, so  > nothing header wise to see there.

As Mark says, there must be some addressee information somewhere, otherwise the Sent folder couldn't display To and Cc information for you.  That's the information we need to see.

 > Below is a message showing the problem and then it's headers.  In  > this message, the bogus email address is Judy at mailman.utm.edu  >  > MESSAGE  > ========  > From: Terry Lewis <tlewis at utm.edu>  > Date: Wednesday, March 13, 2013 7:31 AM  > To: "utmcc-l at mailman.utm.edu" <utmcc-l at mailman.utm.edu>  > Cc: Judy Sandefer <jsandefer at utm.edu>, "Judy at mailman.utm.edu" <Judy at mailman.utm.edu>, Edie Gibson <edgibson at utm.edu>, Thomas Rakes <trakes at utm.edu>  > Subject: [utmcc-l] Nicholas Fortner

 > HEADERS
 > ========

I've "cleaned up" to include only information I've used, but thank you for sending the complete headers.

I don't understand why the EXCH2010CAS2 -> mxout1 field is repeated; I guess that has something to do with spam filtering since mxout1 identifies itself differently in the two fields (not shown here).
Ditto the mail from mailman.utm.edu to itself.

 > Received: from mailman.utm.edu by EXCH2010CAS1.utm.edu  > Received: from mailman.utm.edu by mailman.utm.edu  > Received: from mxout1.utm.edu by mailman.utm.edu  > Received: from EXCH2010CAS2.utm.edu by mxout1.utm.edu  > Received: from EXCH2010CAS2.utm.edu by mxout1.utm.edu  > Received: from EXCH2010MBOX1.utm.edu by EXCH2010CAS2.utm.edu  > From: Terry Lewis <tlewis at utm.edu>  > To: "'utmcc-l at mailman.utm.edu'" <utmcc-l at mailman.utm.edu>  > X-Barracuda-Connect: UNKNOWN[10.51.0.157]  > CC: Sandefer <jsandefer at utm.edu>, <Judy at mailman.utm.edu>, Edie Gibson
 > 	<edgibson at utm.edu>, Thomas Rakes <trakes at utm.edu>

Unfortunately, these headers are clearly from after Mailman processed the message, so it's not possible to determine where the bogus address was introduced.  Looking at the Received fields, there are several candidates that might rewrite headers:

1. tlewis's MUA (Outlook)
2. the MTA that received the message from the user (EXCH2010MBOX1.utm.edu) 3. the spam checker (Barracuda, which is evidently a piece of trash --
   it inserts its trace headers out of order in a random place) 4. an internal MTA (EXCH2010CAS2.utm.edu aka 10.51.0.157) 5. the university's MTA on the spam firewall (mxout1.utm.edu) 6. Mailman 7. Mailman's outgoing MTA (mailman.utm.edu)

From the choice of bogus address (@mailman.utm.edu), it's almost certainly Mailman or mailman.utm.edu.  The other agents don't have the right (and probably not the knowledge) to use that address.  Almost certainly Mailman received the header:

    CC: Sandefer <jsandefer at utm.edu>, Judy, Edie Gibson <edgibson>, Thomas Rakes <trakes at utm.edu>

and either Mailman or mailman.utm.edu's MTA completed "Judy" to "<Judy at mailman.utm.edu>".

 > >I'll keep watching it.  I have a feeling outlook autocomplete  > >might be involved.  However in the outlook sent folder, the bogus  > >address isn't shown...

You shouldn't expect it to be.  You should expect just "Judy" by itself somewhere, surrounded by commas as above.

My guess is that the user entered "Sandefer, Judy" (perhaps with help from copy-and-paste or a completion feature), which Outlook completed to "Sandefer <jsandefer at utm.edu>, Judy" because it knows who "Sandefer" is, but not who "Judy" is.  It might even know who "Sandefer Judy" is, but inserting a comma makes "Judy" a separate addressee.  It then abandoned responsibility for the bogus data and just passed it on verbatim to the next program in the chain, and this irresponsibility continued through the entire UTM system until Mailman (or its MTA) said "hey, wait, *somebody* has to take ownership of this before it gets to the outside world and I guess that's me!"

Earlier Mark wrote:

 > I think you misunderstand what I was suggesting? I was suggesting a  > Cc: of the form Thomas, Bill <bill.thomas at example.com>. I.e. an  > address like bill.thomas at example.com with a display name of Thomas,  > Bill, but improperly/incompletely quoted so that it is actually two  > addresses; the address <bill.thomas at example.com> with display name  > Bill and the local address Thomas.

This wouldn't produce the effect above, though, where the complete address gets the surname and the bogus address is based on the given name (the reverse of what Mark is suggesting).

More information about the Mailman-Users mailing list