Any known cases of "non-members" who aren't explicitly allowed to send to the list with a default rule of "discard" on a list getting through?
We just noticed an oddness in a client's system.
Someone sent to a members-only list and it 'got past' moderation controls. The list is set to not allow non-members to send to the list, but somehow it got through the default rule of "discard (no notification)" for a non-member and got to the list.
The only oddness I can tell is that there was an emoji (unicode) in the subject line but as I understand how Mailman works, this should NOT have impacted anything, as the sender filter bits happen earlier in message processing.
Has *anyone* seen any cases like this before? If this is repeatable or a known issue, it deserves a CVE security bug because this is a **severe** problem.
On 1/9/26 12:16 PM, Thomas Ward via Mailman-users wrote:
We just noticed an oddness in a client's system.
Someone sent to a members-only list and it 'got past' moderation controls. The list is set to not allow non-members to send to the list, but somehow it got through the default rule of "discard (no notification)" for a non-member and got to the list.
There are two possibilities here. Either the sender's non-member record has a moderation action of accept or default processing, or even though the From: address is a non-member, one of the envelope from or the Sender: or Reply-To: headers is a member. See the mailman.email.message.Message.senders method at https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/email/message.p....
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro -
Thomas Ward