[If member-email known] Malformed "From:" header accepted -> anyone can post to list.

Bug #1721746 reported by René Freund
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Undecided
Unassigned

Bug Description

Hello,

because we got some spam from outside, but with email-adress of a list-member lately, we found after an investigation that the E-Mail Header

From: "memberuseremail@" <memberuserdomain.tld somerandomspamemail.tld>

will be accepted by mailman and posted to the list. So if the spammer knows a valid member-emailadress it is possible to send emails to the list.

I don't know if this is fixed already and i have to poke the ubuntu team instead.

Versions:
Ubuntu 16.04 LTS
Mailman Version: 1:2.1.20-1ubuntu0.1
Postfix Version: 3.1.0-3

Mark Sapiro (msapiro)
information type: Private Security → Public
Revision history for this message
Mark Sapiro (msapiro) wrote :

This is not a security issue in Mailman. Yes it is possible to spoof a list member's address in various headers to cause a post to be accepted by a list, but there's nothing Mailman or any list management software can do about that short of moderating all members.

Also, see <https://mail.python.org/pipermail/mailman-users/2017-October/082558.html>, <https://wiki.list.org/x/4030556> and the "How to post to the announcement list:" section at <https://wiki.list.org/x/4030685>.

Changed in mailman:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers