[Mailman-Users] non-subscribers getting through--email address in "Real Name"
gtaylor at tnetconsulting.net
Thu Jul 19 11:02:22 EDT 2018
On 07/19/2018 06:16 AM, Robert Heller wrote:
> I mean it does not check things like the Received: headers*by default*. If
> the email part of the From: header is a list member address, Mailman
> will consider that the mail is from that member and pass the message on
> to the list,*even if the From: header is spoofed*. I expect that this
> is what happening with the OP. It is a common spammer hack: somehow get
> a list of member addresses (or really hack a member's E-Mail accoung or
> PC and go from there).
> Yes, Mail mail can be configured to check other headers, but this requires
> some configuration settings.
I have often wondered about enhancing Mailman, or augmenting it with a
milter, to be able to test the SMTP envelope from, to, and body content
against list parameters and be able to reject messages during the SMTP
IMHO it's a bit more difficult to spoof SMTP envelope details and bypass
SMTP level detections. This does assume that the sending domain does
publish the required info and that receiving mail servers actually
filter based on that.
Grant. . . .
unix || die
More information about the Mailman-Users