GNU Mailman

E-mails with "From" non-member and "Reply-to" member address pass through the rejection system

Bug #379454 reported by Savvas Radevic
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Invalid
Undecided
Unassigned

Bug Description

It seems that an email can pass through the rejection system if you send an email which:
1) is sent From a non-member address
2) uses a Reply-to of a member address

ubuntu-gr: https://lists.ubuntu.com/archives/ubuntu-gr/2009-May/008972.html
ubuntu-cy: https://lists.ubuntu.com/archives/ubuntu-cy/2009-May/000257.html

Both of these emails used the (1) and (2) mentioned above.

I've looked through the settings and couldn't find anything related to this.
Is there something that I missed and can be set to disable this behaviour?

P.S. Credits go to Nick Demou and Simos Xenitellis for discovering this vulnerability (if it happens to be one).
P.P.S. Attachment contains the email from ubuntu-cy with the headers included (password: bug).

Revision history for this message
Savvas Radevic (medigeek) wrote :
Revision history for this message
Savvas Radevic (medigeek) wrote :

Attaching the email from the sender too (password: bug)

Savvas Radevic (medigeek)
visibility: private → public
Revision history for this message
Mark Sapiro (msapiro) wrote :

This is not a bug. It is by design.

From Defaults.py

# Membership tests for posting purposes are usually performed by looking at a
# set of headers, passing the test if any of their values match a member of
# the list. Headers are checked in the order given in this variable. The
# value None means use the From_ (envelope sender) header. Field names are
# case insensitive.
SENDER_HEADERS = ('from', None, 'reply-to', 'sender')

If you don't want to treat posts with a Reply-To: of a member address as being from a member, you can put

SENDER_HEADERS = ('from', None, 'sender')

in mm_cfg.py. Note however if your goal is to prevent people from spoofing a member address by inserting a Reply-To: of a member, Its just as easy for a knowledgeable person to spoof the From:

Changed in mailman:
status: New → Invalid
security vulnerability: yes → no
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.