Calab, I just posted a bug ticket for this problem. You are the 3rd or 4th person, including me, to have reported this to mailman-users recently. The bug ticket is here: http://sourceforge.net/tracker/?group_id=103&atid=100103
Please add your comments to the item so the developers take this seriously. If you don't have a SourceForge account, you can create one here: http://sourceforge.net/account/register.php Thanks. --Ted On Thu, 11 Mar 2004, Caleb Epstein wrote: > On Thu, Mar 11, 2004 at 11:59:50AM -0500, Caleb Epstein wrote: > > > Here is a sample message: > > http://bklyn.org/~cae/mailman-stumper.txt > > OK, I've found out a little bit more about the exploit. The > message is sent with an envelope-from (I think thats the right > term) of an actual list subscriber, one who has permission to > post to the list, but the From: header is one of these made-up > official addresss: > > From my mail server's logs (subscriber's address mangled): > > 2004-03-11 16:31:44 1B1T5z-0009zY-00 <= [EMAIL PROTECTED] H=(srr2) [192.168.100.17] > P=smtp S=17730 [EMAIL PROTECTED] from <[EMAIL PROTECTED]> for [EMAIL PROTECTED] > > From mailman's "post" log: > > Mar 11 16:32:20 2004 (98296) post to announce from [EMAIL PROTECTED], size=2189, > message-id=<[EMAIL PROTECTED]>, success > > Any suggestions on how to catch this forgery? > > ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
