[Mailman-Users] Non-subscribers defeating the generic non-member action

Mark Sapiro mark at msapiro.net
Mon Jul 6 16:53:18 CEST 2009 

Robert Boyd Skipper wrote:
>
> I've been running lists for years, and the filtering has been pretty
> good at blocking posts from non-members.  But recently, there have been
> some leaks, allowing non-member spammers to slip a message onto the
> list.  The first time this happened, it turned out to be due to
> non-alphanumeric characters at the beginning of email addresses in the
> From: field.


I don't know why non-alphanumeric characters in the address would by
themselves cause a non-member post to be accepted.


> So, I made a regex filter that put a stop to that.   But
> now, it has happened again, and I can't see anything unusual about the
> emails.  Has anyone else noticed this happening?
>
> One of those emails that say "Can't see images? Click here!" got
> through.  The subject line reads, "[test] Dear test at mydomain.org
> Shopping just got a lot    easier!"  (I've substituted dummy names for
> real ones.)  Where you see four spaces in the Subject line, there
> instead appeared a small circle.


The Subject: header has nothing to do with whether or not the post is
accepted.


> The From: field had the name "Doctor
> Joe Smith," but on mouseover, it said "test at mydomain.org."  Now I've had
> many hundreds of emails that spoofed the name of my list in the past.
> And the program always caught them.  This one got through.  Doctor Joe
> Smith is not a subscriber and his name does not appear in any of the
> non-member filters.


The "real name" in the From: header also has nothing to do with it.


> I've blocked anything that claims to come from "test\@.*" and that seems
> to have stopped it, but I don't think the spoofing explains the problem,
> since mailman had previously blocked about ten posts per day that
> spoofed the listname.   It could be that I've never seen the combination
> of a person's name and the listname in the From: field.  I just don't
> remember.


By default (this can be changed in mm_cfg.py but normally isn't), Mailman
looks at the addresses in From:, Reply-To: and Sender: headers and the
envelope sender address to determine if the post is "from" a list member.


> Any thought?  I saved the email.


The mail received from the list will not reflect the original envelope
sender or Sender: header and may not reflect the original Reply-To:. Thus
it is not completely useful in diagnosing this. If you have access to the
archives/private/LIST.mbox/List.mbox file, the message archived there will
have the original Sender: if any and may have a Return-Path: header
indicating the original envelope sender.

How are you "blocking" mail from "test\@.*"?

What if anything is in the list's accept_these_nonmembers?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list