[Mailman-Users] Sender's address only in Reply-to field

Wed Jun 13 00:02:44 CEST 2012

Jeremy Fairbrass wrote:
>
>I'm administering a Mailman list using version 2.1.14. It's a private list, whereby only list members can post to it ("generic_nonmember_action" is set to discard).
>
>I've just had an email sent through the list which was sent from a web service (Evite.com to be precise) by one of the list members. The email itself had an evite.com address in the From header, and had the list member's own address in the Reply-To header. The email was accepted by Mailman and delivered to all list members.
>
>This surprised me, as I assumed that a list member's address would have to be in the From field for it to be accepted, whereas in this case their address was exclusively in the Reply-To field. Is that how it's supposed to be? Surely Mailman should only consider the From field when checking the identity of the sender of the email?

A post is considered to be from a member if a member's address appears
in any of the headers (or envelope sender) appearing in the
SENDER_HEADERS setting. The Defaults.py setting for this is

SENDER_HEADERS = ('from', None, 'reply-to', 'sender')

meaning a post will be considered to be from the first member address
found in From:, the envelope sender, Reply-To: or Sender: if any of
those contains a member's address.

>Is there any setting in Mailman that will make it only consider the From field and not the Reply-To field when accepting an email?

If you want only the From: headre to be considered, you can put

SENDER_HEADERS = ('from',)

in mm_cfg.py. (the parens and comma are important)

>Secondly, what's the best or appropriate way for me to then block emails from a third-party sender (such as Evite) which is using this Reply-To "trick", if I don't want those emails to be delivered to my list?

It's not a trick. If they were trying to trick you, they would put the
inviter's address in From:. They legitimately want to direct replies
to the e-vite back to the inviter.

>I tried putting the full evite.com email address into the "discard_these_nonmembers" field on the [Sender filters] page, but that didn't work. When I tested it afterwards, the email from Evite.com still was accepted by Mailman and not discarded.

Because non-member tests are applied only after the post is determined
to not be from a member.

>I suppose I could add the Evite address as an actual member, and then mark that member for moderation, but I'd rather not have to do that. I feel like I ought to be able to just add the Evite address to the discard list and have it automatically discarded there, or some similar solution. The Membership List page should really only be used for actual list members.

If you control the Mailman installation, you can set SENDER_HEADERS in
mm_cfg.py as above. If not, you can use Privacy options... -> Spam
filters -> header_filter_rules to discard messages with a header
regexp like for example:

^from:.*[@.]evite\.com([>\s]|$)

I tend to use a rule myself like

^Sender:.*linkedin.com>?$
^Return-Path:.*linkedin.com>?$
^Sender:.*homerunmail.com>?$
^Return-Path:.*homerunmail.com>?$
^Reply-To:.*homerunmail.com>?$
^Sender:.*facebookmail.com>?$
^Return-Path:.*facebookmail.com>?$

to get unwanted mail that is actually From: a member.

I don't include evite.com because ultimately, that mail is generated by
a list member and I would try to educate, moderate, remove the member
first rather than try to keep track of all the possible sources of
such mail.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan