Any known cases of "non-members" who aren't explicitly allowed to send to the list with a default rule of "discard" on a list getting through?
We just noticed an oddness in a client's system.
Someone sent to a members-only list and it 'got past' moderation controls. The list is set to not allow non-members to send to the list, but somehow it got through the default rule of "discard (no notification)" for a non-member and got to the list.
The only oddness I can tell is that there was an emoji (unicode) in the subject line but as I understand how Mailman works, this should NOT have impacted anything, as the sender filter bits happen earlier in message processing.
Has *anyone* seen any cases like this before? If this is repeatable or a known issue, it deserves a CVE security bug because this is a **severe** problem.
On 1/9/26 12:16 PM, Thomas Ward via Mailman-users wrote:
We just noticed an oddness in a client's system.
Someone sent to a members-only list and it 'got past' moderation controls. The list is set to not allow non-members to send to the list, but somehow it got through the default rule of "discard (no notification)" for a non-member and got to the list.
There are two possibilities here. Either the sender's non-member record has a moderation action of accept or default processing, or even though the From: address is a non-member, one of the envelope from or the Sender: or Reply-To: headers is a member. See the mailman.email.message.Message.senders method at https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/email/message.p....
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thomas Ward via Mailman-users writes:
Has *anyone* seen any cases like this before?
Something like it is common. A member forwards a non-member's message to the list, so that the envelope from (and often Sender) are set to that member's address. You will see only the header From, so it appears that the post was by a non-member.
�> If this is repeatable or a known issue, it deserves a CVE security �> bug because this is a **severe** problem.
Members-only for posting is a best-effort, use at your own risk, feature, because all of the addresses used for identifying members are easily spoofable. Of them only the header From is normally visible to end users. It's standard in stock Mailman because in practice it's an excellent defense against spam. It is not otherwise a reliable security measure, and the default configuration is quite loose. It allows users to forward messages for others and to use various addresses for the author headers. It allows the apparent author to be different from the user who injects the message to the Internet mail system.
In practice, header From is fairly reliable if all of your members have addresses with DMARC policy "p=reject" and your MTA does reject when From alignment fails. But to depend on DMARC processing, you need to remove Sender, Reply-To, and envelope From (From_, I think is the configuration notation) from the member identification configuration. Also note that the purpose of DMARC is primarily to protect the sending organization, not the receiver, so this use case depends on trusting the sending organization to do the authentication.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan
participants (3)
-
Mark Sapiro -
Stephen J. Turnbull -
Thomas Ward