[Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass

Mark Sapiro mark at msapiro.net
Tue Sep 26 00:31:05 EDT 2017

On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
> Recent phishing mails are targeting mailing-lists -- and do pass.
> From our logs:
> Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meister at charite.de, size=4760, message-id=<486320030245.201792592050 at charite.de>, success
> But the headers of the mail that was automatically passed (since
> sabishi.meister at charite.de is a member) was:
> From: "Sabishi.Meister@" <charite.de events at tryphotels.ae>

A post is considered to be from a list member if any of the headers in
the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member
address. The default setting is

SENDER_HEADERS = ('from', None, 'reply-to', 'sender')

(None means the envelope sender). Assuming you have the default setting,
the sabishi.meister at charite.de address was either the envelope sender or
in Reply-To: or Sender:.

You could set

SENDER_HEADERS = ('from',)

in mm_cfg.py to test only the From: for list membership.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list