Jay A. Sekora wrote: >Hi. I had been noting with trepidation the recent rise in spam mail >with multiple spoofed From: lines, e.g., > >From: m...@example.net >From: y...@example.net >From: l...@example.net >To: l...@example.net > >since that drastically increases the chances of any given spam message >having a spoofed From: line that matches a list member. Recently, one >of our lists (running Mailman 2.1.11 from Debian packages) actually got >hit with a bunch of spam like that. > >That particular list actually had (the equivalent of) >"l...@example.net", among other addresses, in discard_these_nonmembers, >but that didn't actually have any effect. (None of the spoofed from >addresses were in accept_these_nonmembers .) So I am guessing that when >it gets mail with multiple From: addresses (or maybe just with multiple >From: headers on separate lines), Mailman is doing some sort of header >canonicalization that breaks discard_these_nonmembers. (I will note >that the list address was listed as a string, not a regex.) > >So my question is twofold: > >(1) Is there a way, within Mailman 2.1.11 itself, I can test whether a >message has multiple *senders*, and hold for moderation or discard based >on that? (I'd be happy either catching anything with multiple From: >lines, or if all the possible places Mailman looks for a sender are >conflated, anything with more than two or three different senders.) >And,
First let me give some background detail. Mailman implements two different email message methods for determining the sender of an email, Thes methods are called get_sender() and get_senders(). By default, get_senders() returns a list of all the addresses found in any From: headers, the 'unix from' or envelope sender, and any Reply-To: or Sender: headers in that order. This can be changed by the mm_cfg.py setting SENDER_HEADERS. The get_sender() method returns the first address found in a From: or Sender: header or the 'unix from' in that order (by default, although the mm_cfg.py setting USE_ENVELOPE SENDER if true changes the order to Sender:, From:, 'unix from'). Tests for list membership, i.e. is this post from a member; is this member moderated, test all addresses returned by get_senders() and use the first address that matches a member, if any. Tests for *_these_nonmembers use the address returned by get_sender() which by default at least is the first address from the first From: header. This is part of why *_these_nonmembers doesn't hit, but if one of the From: headers is a member, the post will be considered a member post and *_these_nonmembers will not be consulted at all. To answer your question, put a regexp like (?s)\nFrom:.*\nFrom: in Privacy options... -> Spam filters -> header_filter_rules. These regexps are searched in IGNORECASE and MULTILINE mode. The (?s) will set DOTALL (dot matches all) mode as well. Your regexp will be searched for in a string consisting of all the message headers and will catch multiple From: headers. Give that rule an appropriate action and you're set. >(2) Is there a way I can make discard_these_nonmembers and/or >hold_these_nonmembers work with from addresses in these sorts of >messages? (Maybe Mailman concatenates all the sender addresses and I >therefore need to use a regular expression, for instance?) As I discuss above, no. >Thanks in advance! > >Jay > >PS -- In case its relevant, all our list mail is forwarded via aliases >from the published address to an address handled by the Mailman server, >so doing stuff at SMTP time is more complicated than it would otherwise >be. I wouldn't mind advice for dealing with this stuff in Exim as well, >if anybody happens to have some handy, but we *do* have (a small amount >of) legitimate mail that has multiple From: headers. I know how to >score this stuff higher in SpamAssassin, but given various peculiarities >I'd really like to know how to do it in Mailman as well. Short of a custom handler, I think header_filter_rules is the way to go. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org