[Mailman-Users] Non-subscribers defeating the generic non-member action
Robert Boyd Skipper
robert at skipperweb.org
Mon Jul 6 18:26:24 CEST 2009
Mark:
Thank you for this info. I'll see if I have access to
archives/private/LIST.mbox/List.mbox.
To answer your question, I made a mistake in the regex (it's been years
since messing with those little darlings). I actually blocked the
spoofed email by putting "test at mydomain.org" in the "discard these
non-members" list. Since I have also been getting emails from
"test at otherdomain.com" I thought I would just discard everything with a
username the same as my (pretty unique) listname. But I see now that I
got that regex wrong.
I don't understand how non-alphanumeric characters made a difference,
either, but they did. Emails containing such characters were not in
general a problem, but if they started with a '_' or a '-' or something
of the sort, mailman would simply let them through. When I put the
following regexes into the spam filter rule 1, the problem stopped:
from: _.*@.*
from: -.*@.*
and then, later, just in case, I added
from: \W.*@.*
Skipper
Mark Sapiro wrote:
> Robert Boyd Skipper wrote:
>
>> I've been running lists for years, and the filtering has been pretty
>> good at blocking posts from non-members. But recently, there have been
>> some leaks, allowing non-member spammers to slip a message onto the
>> list. The first time this happened, it turned out to be due to
>> non-alphanumeric characters at the beginning of email addresses in the
>> From: field.
>>
>
>
> I don't know why non-alphanumeric characters in the address would by
> themselves cause a non-member post to be accepted.
>
>
>
>> So, I made a regex filter that put a stop to that. But
>> now, it has happened again, and I can't see anything unusual about the
>> emails. Has anyone else noticed this happening?
>>
>> One of those emails that say "Can't see images? Click here!" got
>> through. The subject line reads, "[test] Dear test at mydomain.org
>> Shopping just got a lot easier!" (I've substituted dummy names for
>> real ones.) Where you see four spaces in the Subject line, there
>> instead appeared a small circle.
>>
>
>
> The Subject: header has nothing to do with whether or not the post is
> accepted.
>
>
>
>> The From: field had the name "Doctor
>> Joe Smith," but on mouseover, it said "test at mydomain.org." Now I've had
>> many hundreds of emails that spoofed the name of my list in the past.
>> And the program always caught them. This one got through. Doctor Joe
>> Smith is not a subscriber and his name does not appear in any of the
>> non-member filters.
>>
>
>
> The "real name" in the From: header also has nothing to do with it.
>
>
>
>> I've blocked anything that claims to come from "test\@.*" and that seems
>> to have stopped it, but I don't think the spoofing explains the problem,
>> since mailman had previously blocked about ten posts per day that
>> spoofed the listname. It could be that I've never seen the combination
>> of a person's name and the listname in the From: field. I just don't
>> remember.
>>
>
>
> By default (this can be changed in mm_cfg.py but normally isn't), Mailman
> looks at the addresses in From:, Reply-To: and Sender: headers and the
> envelope sender address to determine if the post is "from" a list member.
>
>
>
>> Any thought? I saved the email.
>>
>
>
> The mail received from the list will not reflect the original envelope
> sender or Sender: header and may not reflect the original Reply-To:. Thus
> it is not completely useful in diagnosing this. If you have access to the
> archives/private/LIST.mbox/List.mbox file, the message archived there will
> have the original Sender: if any and may have a Return-Path: header
> indicating the original envelope sender.
>
> How are you "blocking" mail from "test\@.*"?
>
> What if anything is in the list's accept_these_nonmembers?
>
>
More information about the Mailman-Users
mailing list