[If member-email known] Malformed "From:" header accepted -> anyone can post to list.
Bug #1721746 reported by
René Freund
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Hello,
because we got some spam from outside, but with email-adress of a list-member lately, we found after an investigation that the E-Mail Header
From: "memberuseremail@" <memberuserdoma
will be accepted by mailman and posted to the list. So if the spammer knows a valid member-emailadress it is possible to send emails to the list.
I don't know if this is fixed already and i have to poke the ubuntu team instead.
Versions:
Ubuntu 16.04 LTS
Mailman Version: 1:2.1.20-1ubuntu0.1
Postfix Version: 3.1.0-3
| information type: | Private Security → Public |
Revision history for this message
| Mark Sapiro (msapiro) wrote | #1 |
| Changed in mailman: | |
| status: | New → Invalid |
To post a comment you must log in.
This is not a security issue in Mailman. Yes it is possible to spoof a list member's address in various headers to cause a post to be accepted by a list, but there's nothing Mailman or any list management software can do about that short of moderating all members.
Also, see <https:/