[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Robert Heller heller at deepsoft.com
Wed Jul 18 22:10:21 EDT 2018 

At Wed, 18 Jul 2018 21:28:47 -0400 Matt Morgan <minxmertzmomo at gmail.com> wrote:

> 
> On one of my lists I'm seeing some spam from non-subscribers getting
> through. It appears that the trick is to put a subscriber's address in the
> "real name" of the sender. E.g., this got through, without being held for
> moderation, on a list with generic_nonmember_action = discard (emails of
> the innocent obfuscated):
> 
> *From:* "xxx at johnxxx.com <jgl at johngreenwaltlee.com>" <enrollment at ekonek.com>
> *Date:* July 18, 2018 at 5:27:24 PM CDT
> *To:* <listname at server.org <osg-l at cool.conservation-us.org>>
> *Subject:* *[OSG-l] No. PL-01-17923 AIC Objects Specialty Group Discussion*
> *Reply-To:* My List's Name <listname at server.org
> <osg-l at cool.conservation-us.org>>
> 
> 
> Account Summary:
> ---------------------------
> Invoice No: No. PL-01-17923
> Billing Date: Jul 19, 2018
> Due Date: Jul 22, 2018
> Amount Due: 1,047.48
> Download DOC:


Mailman only checks the From: header and it is trivial to put any random thing 
there, even if it is false information.

OTH, the contents of the Recieved: headers contain real server names and IP 
addresses.

Very often, the mail is sent directly to a SMTP server from a random PC or 
Laptop, often from a IP address without a reverse DNS.  I have a filter rule:

Received: from.*(unknown \[\d+\.\d+\.\d+\.\d+\])

Which catches this sorts of messages.  I place them on hold, since *some* 
people use E-Mail clients that directly connect to SMTP servers from ISP IP 
addresses without reverse DNS.

> 
> etc. (I'm avoiding sharing the links that follow). xxx at johnxxx.com IS a
> subscriber on the list. However enrollment at ekonek.com is not. Yet this
> message went straight through, as if it had been sent by a subscriber.
> 
> I've looked at the archives of mailman-users and it looks like--from a very
> old discussion--that
> 
> a) this cheap trick should not be sufficient to allow the message through
> b) the content of the message as delivered to the list may not reflect the
> exact contents/metadata of the message as it was sent.
> 
> Still, I don't really know what else could be going on here, or how to
> investigate. Suggestions?
> 
> Thanks!
> Matt
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
> 
>                                                                                            

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the Mailman-Users mailing list