[Mailman-Users] non-subscribers getting through--email address in "Real Name"

[Matt Morgan]

On one of my lists I'm seeing some spam from non-subscribers getting
through. It appears that the trick is to put a subscriber's address in the
"real name" of the sender. E.g., this got through, without being held for
moderation, on a list with generic_nonmember_action = discard (emails of
the innocent obfuscated):

*From:* "xxx at johnxxx.com <jgl at johngreenwaltlee.com>" <enrollment at ekonek.com>
*Date:* July 18, 2018 at 5:27:24 PM CDT
*To:* <listname at server.org <osg-l at cool.conservation-us.org>>
*Subject:* *[OSG-l] No. PL-01-17923 AIC Objects Specialty Group Discussion*
*Reply-To:* My List's Name <listname at server.org
<osg-l at cool.conservation-us.org>>


Account Summary:
---------------------------
Invoice No: No. PL-01-17923
Billing Date: Jul 19, 2018
Due Date: Jul 22, 2018
Amount Due: 1,047.48
Download DOC:

etc. (I'm avoiding sharing the links that follow). xxx at johnxxx.com IS a
subscriber on the list. However enrollment at ekonek.com is not. Yet this
message went straight through, as if it had been sent by a subscriber.

I've looked at the archives of mailman-users and it looks like--from a very
old discussion--that

a) this cheap trick should not be sufficient to allow the message through
b) the content of the message as delivered to the list may not reflect the
exact contents/metadata of the message as it was sent.

Still, I don't really know what else could be going on here, or how to
investigate. Suggestions?

Thanks!
Matt