[Mailman-Users] Detecting mail with multiple From: lines

Mark Sapiro mark at msapiro.net
Sat May 21 06:55:30 CEST 2011 

Jay A. Sekora wrote:

>Hi.  I had been noting with trepidation the recent rise in spam mail
>with multiple spoofed From: lines, e.g.,
>
>From: me at example.net
>From: you at example.net
>From: list at example.net
>To: list at example.net
>
>since that drastically increases the chances of any given spam message
>having a spoofed From: line that matches a list member.  Recently, one
>of our lists (running Mailman 2.1.11 from Debian packages) actually got
>hit with a bunch of spam like that.
>
>That particular list actually had (the equivalent of)
>"list at example.net", among other addresses, in discard_these_nonmembers,
>but that didn't actually have any effect.  (None of the spoofed from
>addresses were in accept_these_nonmembers .)  So I am guessing that when
>it gets mail with multiple From: addresses (or maybe just with multiple
>From: headers on separate lines), Mailman is doing some sort of header
>canonicalization that breaks discard_these_nonmembers.  (I will note
>that the list address was listed as a string, not a regex.)
>
>So my question is twofold:
>
>(1) Is there a way, within Mailman 2.1.11 itself, I can test whether a
>message has multiple *senders*, and hold for moderation or discard based
>on that?  (I'd be happy either catching anything with multiple From:
>lines, or if all the possible places Mailman looks for a sender are
>conflated, anything with more than two or three different senders.)
>And,


First let me give some background detail. Mailman implements two
different email message methods for determining the sender of an
email, Thes methods are called get_sender() and get_senders(). By
default, get_senders() returns a list of all the addresses found in
any From: headers, the 'unix from' or envelope sender, and any
Reply-To: or Sender: headers in that order. This can be changed by the
mm_cfg.py setting SENDER_HEADERS.

The get_sender() method returns the first address found in a From: or
Sender: header or the 'unix from' in that order (by default, although
the mm_cfg.py setting USE_ENVELOPE SENDER if true changes the order to
Sender:, From:, 'unix from').

Tests for list membership, i.e. is this post from a member; is this
member moderated, test all addresses returned by get_senders() and use
the first address that matches a member, if any.

Tests for *_these_nonmembers use the address returned by get_sender()
which by default at least is the first address from the first From:
header.

This is part of why *_these_nonmembers doesn't hit, but if one of the
From: headers is a member, the post will be considered a member post
and *_these_nonmembers will not be consulted at all.

To answer your question, put a regexp like

(?s)\nFrom:.*\nFrom:

in Privacy options... -> Spam filters -> header_filter_rules. These
regexps are searched in IGNORECASE and MULTILINE mode. The (?s) will
set DOTALL (dot matches all) mode as well. Your regexp will be
searched for in a string consisting of all the message headers and
will catch multiple From: headers. Give that rule an appropriate
action and you're set.


>(2) Is there a way I can make discard_these_nonmembers and/or
>hold_these_nonmembers work with from addresses in these sorts of
>messages?  (Maybe Mailman concatenates all the sender addresses and I
>therefore need to use a regular expression, for instance?)


As I discuss above, no.


>Thanks in advance!
>
>Jay
>
>PS -- In case its relevant, all our list mail is forwarded via aliases
>from the published address to an address handled by the Mailman server,
>so doing stuff at SMTP time is more complicated than it would otherwise
>be.  I wouldn't mind advice for dealing with this stuff in Exim as well,
>if anybody happens to have some handy, but we *do* have (a small amount
>of) legitimate mail that has multiple From: headers.  I know how to
>score this stuff higher in SpamAssassin, but given various peculiarities
>I'd really like to know how to do it in Mailman as well.


Short of a custom handler, I think header_filter_rules is the way to go.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list