FAQ
I just had a fleck of spam sully my mailing list from an email address that is not among
the members. How can this be? There were still about thirty other piece of spam
awaiting administrative approval. How could this one have slipped through? Where would
I start troubleshooting this? I know it's not just that it's spoofing the list, because
the spam ended up in the online archives.

Skipper


--
Robert Boyd Skipper
P.O. Box 593
Wimberley, TX 78676

Search Discussions

  • Mark Sapiro at Feb 6, 2008 at 5:19 pm

    Robert Boyd Skipper wrote:
    I just had a fleck of spam sully my mailing list from an email address that is not among
    the members. How can this be? There were still about thirty other piece of spam
    awaiting administrative approval. How could this one have slipped through? Where would
    I start troubleshooting this? I know it's not just that it's spoofing the list, because
    the spam ended up in the online archives.

    It is not always possible to tell after the fact, but here is some
    info. Note that you can find the message in the
    archives/private/listname.mbox/listname.mbox file, but this message
    has already been processed by Mailman and some Headers may have been
    changed from the incoming message.

    A message will be determined to be from a member if a members address
    appears in any of the From:, Reply-To: or Sender: headers or is the
    envelope sender which will be in the initial "From " line in the
    listname.mbox file.

    If the message is not from a member, it will be accepted if the From:
    address, or the Sender: address if there is one and if
    USE_ENVELOPE_SENDER is set to Yes in mm_cfg.py, is in or matches a
    pattern in accept_these_nonmembers.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Robert Boyd Skipper at Feb 6, 2008 at 10:40 pm
    Mark:

    Thank you for this information. The headers don't seem to be the problem, as they
    contain non-member emails. I don't have direct access to the mm_cfg.py file, and I
    can't find a user_envelope_sender in the web-based administration pages. So I haven't
    checked into that.

    However, I do have one more fact that may be relevant. I just received another spam
    posting that got through. It and the previous one both have emails that begin with an
    underscore: _pearl at absinth.com and _nlahtien at musikverein-altenhof.de
    So, as a possible quick fix, I've set the Spam filter rule 1 to the following

    from: _.*@.*

    Maybe this will work?


    Skipper


    Mark Sapiro wrote:
    Robert Boyd Skipper wrote:
    I just had a fleck of spam sully my mailing list from an email address that is not among
    the members. How can this be? There were still about thirty other piece of spam
    awaiting administrative approval. How could this one have slipped through? Where would
    I start troubleshooting this? I know it's not just that it's spoofing the list, because
    the spam ended up in the online archives.

    It is not always possible to tell after the fact, but here is some
    info. Note that you can find the message in the
    archives/private/listname.mbox/listname.mbox file, but this message
    has already been processed by Mailman and some Headers may have been
    changed from the incoming message.

    A message will be determined to be from a member if a members address
    appears in any of the From:, Reply-To: or Sender: headers or is the
    envelope sender which will be in the initial "From " line in the
    listname.mbox file.

    If the message is not from a member, it will be accepted if the From:
    address, or the Sender: address if there is one and if
    USE_ENVELOPE_SENDER is set to Yes in mm_cfg.py, is in or matches a
    pattern in accept_these_nonmembers.
    --
    Robert Boyd Skipper
    P.O. Box 593
    Wimberley, TX 78676
  • Mark Sapiro at Feb 7, 2008 at 4:04 am

    Robert Boyd Skipper wrote:
    Thank you for this information. The headers don't seem to be the problem, as they
    contain non-member emails. I don't have direct access to the mm_cfg.py file, and I
    can't find a user_envelope_sender in the web-based administration pages. So I haven't
    checked into that.

    Here's something you can try. Since you don't have access to mm_cfg.py,
    I assume you don't have direct access to
    archives/private/listname.mbox/listname.mbox either, but you can get
    it from the web (if it's not too humongous) with a URL like
    <http://www.example.com/mailman/private/listname.mbox/listname.mbox>.
    If you find the message(s) there, the initial "From " line and the
    Return-Path:, if any, have the envelope sender. Then, the Reply-To:
    and Sender: if any will be as in the original post, assuming your list
    isn't anonymous and doesn't mung the Reply-To:

    However, I do have one more fact that may be relevant. I just received another spam
    posting that got through. It and the previous one both have emails that begin with an
    underscore: _pearl at absinth.com and _nlahtien at musikverein-altenhof.de
    So, as a possible quick fix, I've set the Spam filter rule 1 to the following

    from: _.*@.*

    Maybe this will work?

    It should, assuming there's no 'real name' between From: and the
    address and the address isn't in <>. I woul be inclined to try
    something along the lines of

    ^from:.*[ <]_[^<> ]+ at .*

    If you give this rule a Hold action, then you can see the original held
    message with the original incoming headers intact. You will even see
    the presence of an Approved: header or body line if any, although this
    isn't likely to be the reason the message gets through as it requires
    the list's admin or moderator password.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Robert Boyd Skipper at Feb 7, 2008 at 4:33 pm
    Mark:

    Thanks again. This is greatly helpful. I'll look into all of these suggestions today.
    It turns out that emails beginning with a hyphen also get through. So I'm
    supplementing a filter for an initial underscore with a filter for an initial \W as
    well. Until I know the exact parameter of the hole in mailman, I'd rather delay some
    legitimate posts than let through any more spam.

    Skipper




    Mark Sapiro wrote:
    Robert Boyd Skipper wrote:
    Thank you for this information. The headers don't seem to be the problem, as they
    contain non-member emails. I don't have direct access to the mm_cfg.py file, and I
    can't find a user_envelope_sender in the web-based administration pages. So I haven't
    checked into that.

    Here's something you can try. Since you don't have access to mm_cfg.py,
    I assume you don't have direct access to
    archives/private/listname.mbox/listname.mbox either, but you can get
    it from the web (if it's not too humongous) with a URL like
    <http://www.example.com/mailman/private/listname.mbox/listname.mbox>.
    If you find the message(s) there, the initial "From " line and the
    Return-Path:, if any, have the envelope sender. Then, the Reply-To:
    and Sender: if any will be as in the original post, assuming your list
    isn't anonymous and doesn't mung the Reply-To:

    However, I do have one more fact that may be relevant. I just received another spam
    posting that got through. It and the previous one both have emails that begin with an
    underscore: _pearl at absinth.com and _nlahtien at musikverein-altenhof.de
    So, as a possible quick fix, I've set the Spam filter rule 1 to the following

    from: _.*@.*

    Maybe this will work?

    It should, assuming there's no 'real name' between From: and the
    address and the address isn't in <>. I woul be inclined to try
    something along the lines of

    ^from:.*[ <]_[^<> ]+ at .*

    If you give this rule a Hold action, then you can see the original held
    message with the original incoming headers intact. You will even see
    the presence of an Approved: header or body line if any, although this
    isn't likely to be the reason the message gets through as it requires
    the list's admin or moderator password.
    --
    Robert Boyd Skipper
    P.O. Box 593
    Wimberley, TX 78676
  • Mark Sapiro at Feb 7, 2008 at 10:54 pm

    Robert Boyd Skipper wrote:
    Thanks again. This is greatly helpful. I'll look into all of these suggestions today.
    It turns out that emails beginning with a hyphen also get through.

    Do you have any patterns in accept_these_nonmembers that might be
    matching these addresses?

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Robert Boyd Skipper at Feb 8, 2008 at 2:38 am
    Mark:

    No. There are a few email addresses there, but they are seemingly unrelated to the
    three different ones that have gotten through.

    Skipper


    Mark Sapiro wrote:
    Robert Boyd Skipper wrote:
    Thanks again. This is greatly helpful. I'll look into all of these suggestions today.
    It turns out that emails beginning with a hyphen also get through.

    Do you have any patterns in accept_these_nonmembers that might be
    matching these addresses?
    --
    Robert Boyd Skipper
    P.O. Box 593
    Wimberley, TX 78676

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedFeb 6, '08 at 4:05p
activeFeb 8, '08 at 2:38a
posts7
users2
websitelist.org

People

Translate

site design / logo © 2022 Grokbase