[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Robert Heller heller at deepsoft.com
Thu Jul 19 13:44:03 EDT 2018


At Thu, 19 Jul 2018 10:25:01 -0700 Mark Sapiro <mark at msapiro.net> wrote:

> 
> On 07/19/2018 05:16 AM, Robert Heller wrote:
> > At Wed, 18 Jul 2018 19:33:20 -0700 Mark Sapiro <mark at msapiro.net> wrote:
> > 
> >>
> >> On 07/18/2018 07:10 PM, Robert Heller wrote:
> >>>
> >>> Mailman only checks the From: header...
> >>
> >>
> >> Not true. See my other reply in this thread.
> > 
> > I mean it does not check things like the Received: headers *by default*. If
> > the email part of the From: header is a list member address, Mailman will
> > consider that the mail is from that member and pass the message on to the
> > list, *even if the From: header is spoofed*. I expect that this is what
> > happening with the OP. It is a common spammer hack: somehow get a list of
> > member addresses (or really hack a member's E-Mail accoung or PC and go from
> > there).
> > 
> > Yes, Mail mail can be configured to check other headers, but this requires 
> > some configuration settings.
> 
> 
> My point is that standard, default Mailman checks not only the From:
> header for list member addresses, it also checks the envelope sender and
> the Reply-To: and Sender: headers.

All of which can be spoofed.  Mailman does not make any checks of the 
"Received:" headers (where the bogosity of the other headers can be determined 
or can flag messages as containing possibly spoofed headers).

> 

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services
                                      


More information about the Mailman-Users mailing list