[Mailman-Users] Non-subscribers defeating the generic non-member action

Mon Jul 6 18:26:24 CEST 2009

Mark:

Thank you for this info.  I'll see if I have access to 
archives/private/LIST.mbox/List.mbox. 

To answer your question, I made a mistake in the regex (it's been years 
since messing with those little darlings). I actually blocked the 
spoofed email by putting "test at mydomain.org" in the "discard these 
non-members" list.  Since I have also been getting emails from 
"test at otherdomain.com" I thought I would just discard everything with a 
username the same as my (pretty unique) listname.  But I see now that I 
got that regex wrong.

I don't understand how non-alphanumeric characters made a difference, 
either, but they did.  Emails containing  such characters were not in 
general a problem, but if they started with a '_' or a '-' or something 
of the sort, mailman would simply let them through. When I put the 
following regexes into the spam filter rule 1, the problem stopped:
from: _.*@.*
from: -.*@.*
and then, later, just in case, I added
from: \W.*@.*

Skipper

Mark Sapiro wrote:
> Robert Boyd Skipper wrote:
>   
>> I've been running lists for years, and the filtering has been pretty
>> good at blocking posts from non-members.  But recently, there have been
>> some leaks, allowing non-member spammers to slip a message onto the
>> list.  The first time this happened, it turned out to be due to
>> non-alphanumeric characters at the beginning of email addresses in the
>> From: field.
>>     
>
>
> I don't know why non-alphanumeric characters in the address would by
> themselves cause a non-member post to be accepted.
>
>
>   
>> So, I made a regex filter that put a stop to that.   But
>> now, it has happened again, and I can't see anything unusual about the
>> emails.  Has anyone else noticed this happening?
>>
>> One of those emails that say "Can't see images? Click here!" got
>> through.  The subject line reads, "[test] Dear test at mydomain.org
>> Shopping just got a lot    easier!"  (I've substituted dummy names for
>> real ones.)  Where you see four spaces in the Subject line, there
>> instead appeared a small circle.
>>     
>
>
> The Subject: header has nothing to do with whether or not the post is
> accepted.
>
>
>   
>> The From: field had the name "Doctor
>> Joe Smith," but on mouseover, it said "test at mydomain.org."  Now I've had
>> many hundreds of emails that spoofed the name of my list in the past.
>> And the program always caught them.  This one got through.  Doctor Joe
>> Smith is not a subscriber and his name does not appear in any of the
>> non-member filters.
>>     
>
>
> The "real name" in the From: header also has nothing to do with it.
>
>
>   
>> I've blocked anything that claims to come from "test\@.*" and that seems
>> to have stopped it, but I don't think the spoofing explains the problem,
>> since mailman had previously blocked about ten posts per day that
>> spoofed the listname.   It could be that I've never seen the combination
>> of a person's name and the listname in the From: field.  I just don't
>> remember.
>>     
>
>
> By default (this can be changed in mm_cfg.py but normally isn't), Mailman
> looks at the addresses in From:, Reply-To: and Sender: headers and the
> envelope sender address to determine if the post is "from" a list member.
>
>
>   
>> Any thought?  I saved the email.
>>     
>
>
> The mail received from the list will not reflect the original envelope
> sender or Sender: header and may not reflect the original Reply-To:. Thus
> it is not completely useful in diagnosing this. If you have access to the
> archives/private/LIST.mbox/List.mbox file, the message archived there will
> have the original Sender: if any and may have a Return-Path: header
> indicating the original envelope sender.
>
> How are you "blocking" mail from "test\@.*"?
>
> What if anything is in the list's accept_these_nonmembers?
>
>   