[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Grant Taylor gtaylor at tnetconsulting.net
Thu Jul 19 16:17:55 EDT 2018

On 07/19/2018 11:44 AM, Robert Heller wrote:
> All of which can be spoofed.

Yes.  Just about everything can be spoofed to some degree.  It really 
depends on what information the owner of the purported sending domain 
publishes and what filtering / consumption of said information the 
receiving server exercises.

I personally feel like Mailman, and many other similar things, should 
sit behind an external / edge SMTP server that does some of the heavy 
lifting and provides detection of and possibly protection against many 

> Mailman does not make any checks of the "Received:" headers (where the 
> bogosity of the other headers can be determined or can flag messages as 
> containing possibly spoofed headers).

I agree that there is some data in the Received: headers that may 
indicate a problem.  But such information is difficult to consistently / 
reliably / accurately extract or parse /without/ false positives.  It 
can also be difficult to correlate information across headers and 
determine what should and should not be allowed.  Let's not forget that 
it's equally easy to spoof Received: headers as it is to spoof other 
headers.  }:-)

Grant. . . .
unix || die

More information about the Mailman-Users mailing list