[Mailman-Users] Insecure setup?

[Lucio]

Until a few hours ago I was running mailman 2.1.29 on Debian Stretch, as 
packaged by Debian, e.g. mailman_1:2.1.29-1_amd64.deb, so I was missing 
the latest update published by Debian on April, 24 as 
mailman_1:2.1.29-1+deb10u1_amd64.deb. That means my mailman was 
vulnerable to this specific issue:

https://security-tracker.debian.org/tracker/CVE-2020-12137
which is a XSS issue, and, as such, it can hardly be the cause of my 
problem. However I've now updated it nevertheless.

A few hours ago I received a FBL complaint notification about a monthly 
subscription reminder marked as spam and actually coming from my server. 
The subscription reminder was attached to the FBL complaint, so I could 
see the mailman list subscribed email inside it, which is 
ada3167eb87301cb4835917425f07...@libero.it: it's clearly a fake email 
address or a real email address that's been created just for sending spam.

The real user that raised the complaint is not shown for obvious privacy 
reasons, though I could discover it from the message id, but who cares, 
he's right after all, but by double checking the message id I could 
confirm the whole reminder is authentic and it actually went out of my 
mailserver. It is attached here, except I've masked my real domain name 
and my real server ip address.

My mailman subscription logs (/var/log/mailman/subscribe*) go back one 
year and that fake email address does not appear in any of them, nor it 
is listed in the current subscribers list. It obviously does NOT match 
the email address of the user that received the spammed reminder and 
that raised the complaint.

How did it happen? Is there a security flaw in my mailman setup? Where 
should I start looking at?







Source: Italia Online (Libero and Virgilio)=0D
Abuse-Type: complaint=0D
Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/394805=
=0D
User-Agent: ReturnPathFBL/2.0=0D
Original-Rcpt-To: ada3167eb87301cb4835917425f07...@libero.it=0D
Arrival-Date: Mon, 01 Jun 2020 03:00:04 +0000=0D
Original-Mail-From: mailman-boun...@my.real.hostname.it=0D
Reported-Domain: my.real.hostname.it=0D
Source-Ip: my.real.mailman.server.ip.address=0D
Feedback-Type: abuse=0D
Version: 1=0D

--2b38e7ed6655b3398b3fa78c503692fce35b2e77326c2691bbcfb3bc2516
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Content-ID: <5ed497103f356_ebe2b2335d7596447...@abuse.myprovider.company.mail>

Delivered-To: *****
Received: from mobimap.libero.it
        by <local> with IMAP4 (i;15392:1)
        Mon, 01 Jun 2020 03:00:27 +0000
Return-Path: <mailman-boun...@my.real.hostname.it>
Delivered-To: ada3167eb87301cb4835917425f07...@libero.it
Received: from dcd-18 ([10.103.10.26])
        by dcbackend-44.iol.local with LMTP id aBB+HUtv1F5HTwMAm9QHFw
        for <ada3167eb87301cb4835917425f07...@libero.it>; Mon, 01 Jun 2020 
05:00:27 +0200
Received: from dcp-12.iol.local ([10.103.10.26])
        by dcd-18 with LMTP id 8KFpHUtv1F72MQAAWU+Phw
        ; Mon, 01 Jun 2020 05:00:27 +0200
Received: from libero.it ([10.103.10.26])
        by dcp-12.iol.local with LMTP id oBQ9Dktv1F6y6wAAFc0f+g
        ; Mon, 01 Jun 2020 05:00:27 +0200
Received: from my.real.hostname.it ([my.real.mailman.server.ip.address])
        by smtp-26.iol.local with ESMTP
        id fagcjaRdEBNRlfagcj6sQm; Mon, 01 Jun 2020 05:00:27 +0200
X-IOL-DMARC: fail_monitor con il dominio my.real.domain.where.i.host.mailman
X-IOL-DKIM: Messaggio non firmato
X-IOL-SPF: pass con l'IP my.real.mailman.server.ip.address;my.real.hostname.it
X-IOL-SEC: _SPFOK_NODKIM_DMARCFAIL_ENVFROMHEADDIFF
X-IOL-Original-Envfrom: mailman-boun...@my.real.hostname.it
x-libjamoibt: 2601
Received-SPF: pass
X-CNFS-Analysis: v=2.3 cv=X7os11be c=1 sm=1 tr=0
 a=FkFSD/Dudah5UTUvEddLDw==:117 a=FkFSD/Dudah5UTUvEddLDw==:17 a=lP7XrAztAAAA:8
 a=KiCxJD0x+Pe5VASQKmYoJrcyuOo=:19 a=xqWC_Br6kY4A:10 a=8nJEP1OIZ-IA:10
 a=nTHF0DUjJn0A:10 a=Mrz3sjv-sVQA:10 a=IAtt1hzdAAAA:8 a=vYhxhHx_zviUCDRhy94A:9
 a=wPNLvfGTeEIA:10 a=2EkGEB5KO2G9k0KlfTuJ:22 a=1L9rwC9n54gXs6W524hS:22
Received: from my.real.hostname.it ([::1])
  by my.real.hostname.it with ESMTP
  id 0000000000123253.000000005ED46F3F.00004A46; Mon, 01 Jun 2020 05:00:15 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: promemoria per gli iscritti della lista 
my.real.domain.where.i.host.mailman
From: mailman-ow...@my.real.domain.where.i.host.mailman
To: ada3167eb87301cb4835917425f07...@libero.it
X-No-Archive: yes
Auto-Submitted: auto-generated
Message-ID: <mailman.22.1590980404.18909.mail...@my.real.hostname.it>
Date: Mon, 01 Jun 2020 05:00:04 +0200
Precedence: bulk
X-BeenThere: mail...@my.real.hostname.it
X-Mailman-Version: 2.1.29
List-Id: <mailman.my.real.hostname.it>
X-List-Administrivia: yes
Errors-To: mailman-boun...@my.real.hostname.it
Sender: "Mailman" <mailman-boun...@my.real.hostname.it>
X-CMAE-Envelope: 
MS4wfE7WgNK6+1TCWJT2l9eUtLErptK18C5819kRL7yRE0HAlor0NJBLXLDL6HfOahF0FqVW6I95j5Oz78Y4MekgnFd5rnHMtNjcemup+IEvZPAik3ig8RbU
 
yUf5JnpXs0aKtyC4ykkZ73aCGK8h7SqTc+S8FR9HSkpVwEpBFRFMHW5PAagGRRIICd1fep7ihrf2iQ==
X-Mru-Rpop: 1
X-Ipop: 89664477
X-Mru-UID: 1089306654
X-Mailru-Intl-Transport: d,4f36b03


Questo promemoria, inviato con cadenza mensile, elenca le tue
iscrizioni alle liste gestite da my.real.domain.where.i.host.mailman, e
per ognuna di esse specifica le informazioni necessarie per cambiarla
o cancellarla.

Puoi visitare gli URL per cambiare il tuo stato d'iscrizione o la
configurazione, inclusa la cancellazione, il settaggio della modalit=E0
di spedizione digest, o disabilitare completamente la spedizione (es.,
per una vacanza), e cos=EC via.

In aggiunta all'interfaccia web, puoi usare anche l'email per fare
alcuni cambiamenti.  Per altre informazioni, invia un messaggio
all'indirizzo '-request' della lista (per esempio,
mailman-requ...@my.real.domain.where.i.host.mailman) contenente solamente
la parola 'help' nel corpo del messaggio.  Ti sar=E0 inviato un
messaggio con le istruzioni.

Se hai domande, problemi, commenti, ecc., inviali a
mailman-ow...@my.real.domain.where.i.host.mailman. Grazie!

Password per ada3167eb87301cb4835917425f07...@libero.it: =



Lista                                    Password // URL
----                                     --------  =

my.real.list.n...@my.real.domain.where.i.host.mailman
           voanteod  =

https://my.real.domain.where.i.host.mailman/options/my.real.list.name/ada3167eb87301cb4835917425f07242%40libero.it

--2b38e7ed6655b3398b3fa78c503692fce35b2e77326c2691bbcfb3bc2516--
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/