[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Grant Taylor gtaylor at tnetconsulting.net
Thu Jul 19 11:02:22 EDT 2018


On 07/19/2018 06:16 AM, Robert Heller wrote:
> I mean it does not check things like the Received: headers*by default*. If 
> the email part of the From: header is a list member address, Mailman 
> will consider that the mail is from that member and pass the message on 
> to the list,*even if the From: header is spoofed*. I expect that this 
> is what happening with the OP. It is a common spammer hack: somehow get 
> a list of member addresses (or really hack a member's E-Mail accoung or 
> PC and go from there).
> 
> Yes, Mail mail can be configured to check other headers, but this requires 
> some configuration settings.

I have often wondered about enhancing Mailman, or augmenting it with a 
milter, to be able to test the SMTP envelope from, to, and body content 
against list parameters and be able to reject messages during the SMTP 
delivery transaction.

IMHO it's a bit more difficult to spoof SMTP envelope details and bypass 
SMTP level detections.  This does assume that the sending domain does 
publish the required info and that receiving mail servers actually 
filter based on that.



-- 
Grant. . . .
unix || die



More information about the Mailman-Users mailing list