[Mailman-Users] Spam through my mailman?

[Mark Sapiro]

On 03/25/2016 09:17 AM, Michael Shulman wrote:

> 
> The SPF and DKIM passes make it seem like this spam is actually being
> sent from my server, not just from somewhere else with a spoofed
> sender.  Is there some way that my mailman may be misconfigured that
> could be allowing the spammer to spam through it in this way?  Or has
> my server been hacked?


Neither.

The mail was sent to "mylist-owner <mylist-owner at my.server.com>". It was
delivered to Mailman for mylist-owner. Mailman then resent it to the
owner address <listmaster at my.server.com> and the outgoing MTA DKIM
signed it.

This has nothing to do with the fact that the original mail spoofed
<mylist-owner at my.server.com> as the From: or the envelope sender of the
original, except that depending on your DKIM signing rules you may have
not DKIM signed it if it was From: a different domain.

It passes SPF because it came to google from your server and it passes
DKIM because you signed it on the way out. It would have been exactly
the same if it had been sent to an alias that forwards directly to your
google address. I.e. had it been sent to <listmaster at my.server.com>
instead of <mylist-owner at my.server.com>, it would have been forwarded
and signed in exactly the same way without having gone through Mailman
at all.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan