At Tue, 24 Jan 2023 14:00:01 +0100 "Thomas F. Holz" <tfh@Seelen.Theater> wrote:
> > Hello to the round. > Unfortunately I could not find a better place for my questions, nor did > I find any answers within the docs or by Google. > So here it is. The questions refer to Mailman 2.1.23. > > If I know the address of a list member and the address of the mailing > list, I seem to be allowed to write in the list in his place. > Is this correct? > > It seems to me that this is possible in at least two ways with the lists > I am responsible for, and I don't like that: > > 1)--- > First, I can fake the sender address. If the original sender address and > mail with the forgery are sent from the same domain, then this is not > prevented by the MTA (SPF/DKIM check), is it? Depends on MTA settings. > With freemailers like gmail, web.de, gmx etc. this doesn't seem so > impossible to me (i.e. that listmember and bad guy write from the same > domain). Some of these mailers might not let someone randomly message with the From: header. Most often the spoofers are NOT actually using legit free e-mail services to send spoofed e-mail, but are instead doing things like connecting directly to you inbound MTA from their laptop (or from hacked PCs). In either case the HELO command and/or the Received: header will identify this and this cab be checked, either by the inbound MTA or by Mailman (add a spam filter checking the Received: header for bad IP addresses. > > 2)--- > Second, even more strange to me: > If I write to the mailing list from a valid address (which is NOT a > member of the mailing list), and specify a "return-to" in the header > with a listmember's address, then that gets waved through to my mailing > list as well. My mailman lists here seem to ignore the "From" address > completely then. This is strange. > In this case, it doesn't even matter which domain the bad guy writes > from, as long as the return address stands up to the usual checks > (SPF/DKIM/DMARC). > > Have I understood this correctly? > And if this is as described, how can I prevent this? > You need some spam filtering designed to catch this. > Background: I have inherited a larger Sendmail server and several dozen > Mailman lists. Unfortunately, migration to Mailman3 is not an option (at > least in the foreseeable future). So I have to live with the given - and > annoy others with stupid questions from time to time. Sorry for that. > > In advance with thanks and greetings from Germany, > Thomas > > ------------------------------------------------------ > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > > > -- Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/