[Mailman-Users] Detecting mail with multiple From: lines

[Jay A. Sekora]

On Sun, 2011-05-22 at 23:44 -0400, Richard Stallman wrote:
> Do you mean to say that the people at CSAIL ought to switch to using
> SpamAssasin instead of filtering in Mailman?

We *are* using SpamAssassin *as well as* filtering in Mailman.

> Jay, do you see a reason not to do it that way?

There are complicated site-specific reasons why SpamAssassin isn't a
complete solution for our Mailman mailing lists in our current mail
infrastructure; I'd rather not get bogged down in that discussion in
this venue.  SpamAssassin is definitely a big part of our repertoire,
though.

The immediate problem for me was that (as as Mark explained in his mail
dated Friday night his time), the sender filters use get_sender(), which
is unhelpful with messages with multiple From: lines, since the return
value will be random (or worse, chosen to benefit the spammer).

One thing I do to help block spoofed spam to mailing lists is to to
block mail that claims to be from the list address itself, which catches
the common case of spammers spoofing the from address to be the same as
the to address.  Because of that, I was surprised to see these messages
get through to the list, since they *did* include the list address
itself (as well as a bunch of other addresses in our domain) in the
From: lines.  The explanation that the sender filters are applied only
against one particular address explains what was going on (and confirms
my suspicion).

However, that means that as more spammers use this technique, either
sites are going to have to start blocking mail with multiple From:
addresses at SMTP time -- and I discovered to my surprise that we *do*
have legitimate senders using that feature -- or Mailman's sender
filters are going to become somewhat less useful.

--Jay