On 07/19/2018 06:16 AM, Robert Heller wrote:
I mean it does not check things like the Received: headers*by default*. If
the email part of the From: header is a list member address, Mailman
will consider that the mail is from that member and pass the message on
to the list,*even if the From: header is spoofed*. I expect that this
is what happening with the OP. It is a common spammer hack: somehow get
a list of member addresses (or really hack a member's E-Mail accoung or
PC and go from there).
Yes, Mail mail can be configured to check other headers, but this requires
some configuration settings.
I have often wondered about enhancing Mailman, or augmenting it with a
milter, to be able to test the SMTP envelope from, to, and body content
against list parameters and be able to reject messages during the SMTP
delivery transaction.
IMHO it's a bit more difficult to spoof SMTP envelope details and bypass
SMTP level detections. This does assume that the sending domain does
publish the required info and that receiving mail servers actually
filter based on that.
--
Grant. . . .
unix || die
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
