[Mailman-Users] Non-members allowed to post!

Tue Mar 8 16:27:22 CET 2005

I did a bit more digging ... it seems that mail coming in from the GMane
system is not being parsed correctly by Mailman.

As a somewhat knee-jerk reaction, I turned on the moderation flag for
all subscribers to stop the unauthorized posting.

A few minutes ago I got a moderation notification that indicated that a
message was being posted from 'rpg400 at m.gmane.org'.

> As list administrator, your authorization is requested for the
> following mailing list posting:
>
>     List:    RPG400-L at midrange.com
>     From:    rpg400 at m.gmane.org
>     Subject: Re: Making Triggers Resilient
>     Reason:  Post to moderated list

The message, however, had not been submitted BY rpg400 at m.gmane.org, it
was submitted from a normal subscriber.

Here's the headers from the message (somewhat scrubbed to protect
privacy)...

> To: rpg400-l at midrange.com
> From: "Buck Calabro" <buck.calabro at xxxxxx>
> Subject: Re: Making Triggers Resilient
> Date: Wed, 2 Mar 2005 14:43:43 -0500
> Lines: 16
> Message-ID: <d054ob$ehk$1 at sea.gmane.org>
> X-Complaints-To: usenet at sea.gmane.org
> X-Gmane-NNTP-Posting-Host: 209-23-60-152.tvc-ip.com
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 5.50.4922.1500
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4925.2800
> Sender: news <news at sea.gmane.org>
> X-Gmane-MailScanner: Found to be clean
> X-Gmane-MailScanner: Found to be clean
> X-MailScanner-From: rpg400 at m.gmane.org
> X-MailScanner-To: rpg400-l at midrange.com

The only place that rpg400 at m.gmane.org shows up is in the
'X-MailScanner-From:' header.

It appears that Mailman is picking up the 'From:' information from the
wrong header.

Is this a problem with Gmane or Mailman?

david

Mark Sapiro wrote:
> David Gibbs wrote:
> 
>>I have a serious problem here that I can't seem to figure out.  I've 
>>been running Mailman for a very long time and have never seen this 
>>behavior before.
>>
>>A person is posting messages via GMane, but they are not subscribed to 
>>the list.  However, their messages are being allowed to post!
>>
>>I have my list configured with ...
>>
>>generic_nonmember_action = hold
>>accept_these_nonmembers = <empty>
>>default_member_moderation = yes
>>member_moderation_action = hold
>>
>>As you can see from this post log entry, the posting was accepted ...
>>
>>Mar 02 09:26:10 2005 (28195) post to rpg400-l from pearlsoft at xxxxxxxxx, 
>>size=2570, message-id=<d04kvp$kot$1 at sea.gmane.org>, success
>>
>>But 'pearlsoft at xxxxxxxxx' is not subscribed to any of my lists.
> 
> 
> The address in the post log entry (pearlsoft at xxxxxxxxx in this case) is
> not necessarily the address which was validated for the list. There
> are various possibilities, but for example, the address in the post
> log entry could be the From: header address while the address that was
> accepted as a member could be the envelope sender (or unixfrom)
> address.
> 
> You may be able to get the incoming envelope sender from your MTA logs.
> 
> Also, if the list password has been compromised, the post could have
> contained an Approved: header/line.
> 
> Both the original envelope sender and any Approved: header/line are
> gone from the post as received from the list making it difficult to
> diagnose this.
> 
> Still, looking at the post as received from the list might reveal a
> Sender: or Resent-From: or other header that might have a member's
> address.
> 
> --
> Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan