Getting original message headers
We've been seeing some particularly pernicious spammers recently. They're using gmail accounts; I'd like to report them to Google.
To do that I need to find the original message headers. By the time the message gets to the archive, or to the mailing list recipients, all the Received: headers seem to have been deleted, leaving only the ones from my list server outwards.
Is there a way to access the original incoming emai, before DMARC mitigation etc., has changed the headers?
Peter C
On 1/5/26 01:32, Peter Chubb via Mailman-users wrote:
We've been seeing some particularly pernicious spammers recently. They're using gmail accounts; I'd like to report them to Google.
To do that I need to find the original message headers. By the time the message gets to the archive, or to the mailing list recipients, all the Received: headers seem to have been deleted, leaving only the ones from my list server outwards.
Only minimal information from headers is in the hyperkitty archive, but the headers should be in the delivered email and in the message archived by the prototype archiver if enabled (Mailman's var/archives/prototype/<list_address>/new/)
For example, in the list message I'm replying to I see these headers from your server
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chubb.wattle.id.au; s=2; h=Subject:To:From:Date:References:Reply-To; bh=g3joi1iLtQO6etRPAxWSgcpVPoLlVQz6JOFqB1oHHfY=; b=jJEI+qHRRXm7S4bGnmZU6zaeh9 lcPLZkay/lfqg4j9/ucMazFOyEkO3dolXuwz+mnI3CdapcNoGI0/VdZKgNCjINkq6g+Lrzfj5yPZN o8QPyn42K6pP9A724/LPtKf/ltxymwQxBGm9DbYVx3SWLc8Dxl0e2lMdT1PlQfjHZ3pk=; Received: from [2401:d002:1202:a00::9] (helo=wombat.chubb.wattle.id.au) by mx3.chubb.wattle.id.au with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from <peter@chubb.wattle.id.au>) id 1vcgxA-000000015I8-1oLW for mailman-users@mailman3.org; Mon, 05 Jan 2026 20:32:45 +1100 Received: from [192.168.77.170] (helo=gram.chubb.wattle.id.au) by wombat.chubb.wattle.id.au with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from <peter@chubb.wattle.id.au>) id 1vcgxJ-0000000AhKz-0d8s for mailman-users@mailman3.org; Mon, 05 Jan 2026 20:32:53 +1100
I don't know why you are not seeing similar headers in your list mail. Perhaps the spammers are posting via HyperKitty.
Is there a way to access the original incoming emai, before DMARC mitigation etc., has changed the headers?
If you can arrange via list settings or header filters for the message to be held for moderation, you can see the raw held message in Postorius or in Mailman's var/messages/ directory.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
"Mark" == Mark Sapiro <mark@msapiro.net> writes:
Mark> On 1/5/26 01:32, Peter Chubb via Mailman-users wrote:
We've been seeing some particularly pernicious spammers recently. They're using gmail accounts; I'd like to report them to Google.
Mark> Only minimal information from headers is in the hyperkitty Mark> archive, but the headers should be in the delivered email and in Mark> the message archived by the prototype archiver if enabled Mark> (Mailman's var/archives/prototype/<list_address>/new/)
I think they must have been posting via hyperkitty. The first received: line is localhost then the mailman server. Is there a way to turn that ability off?
Peter C
On 1/5/26 12:25, Peter Chubb via Mailman-users wrote:
I think they must have been posting via hyperkitty. The first received: line is localhost then the mailman server. Is there a way to turn that ability off?
If the posting is from Hyperkitty, there should be a
User-Agent: HyperKitty on <list URL>
header.
Are the spammer's list members? If so, you need to remove them and then
set Default action to take when a member posts to the list to Hold for moderation. That way, when a new member posts for the first time,
the message will be held and if it's spam, you can discard it and set
the member's moderation action to discard. and if it's not spam you can
accept the message and set the member's moderation action to default
processing.
Also setting Member Policy->Subscription Policy to Moderate or Confirm, then Moderate will prevent a non-member from posting.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
"Mark" == Mark Sapiro <mark@msapiro.net> writes:
Mark> On 1/5/26 12:25, Peter Chubb via Mailman-users wrote:
I think they must have been posting via hyperkitty. The first received: line is localhost then the mailman server. Is there a way to turn that ability off?
Mark> If the posting is from Hyperkitty, there should be a
Mark> User-Agent: HyperKitty on <list URL>
There is.
Mark> Are the spammer's list members? If so, you need to remove them
Mark> and then set Default action to take when a member posts to the Mark> list to Hold for moderation. That way, when a new member
Mark> posts for the first time, the message will be held and if it's
Mark> spam, you can discard it and set the member's moderation action
Mark> to discard. and if it's not spam you can accept the message and
Mark> set the member's moderation action to default processing.
I've done all this now; I've also required moderation to join the (unadvertised) lists. We had the 'moderate until first good message' policy on all advertised lists; but were expecting that unadvertised lists could not be found to be subscribed and posted to. This is not the case.
Peter C
Peter Chubb via Mailman-users writes:
To do that I need to find the original message headers. By the time the message gets to the archive, or to the mailing list recipients, all the Received: headers seem to have been deleted, leaving only the ones from my list server outwards.
That's not something Mailman does by default (maybe it does for anonymous lists?) For example, the Received chain in your post as I received it goes back through several subdomains of "chubb" before getting to mailman3.org.
Is there a way to access the original incoming email, before DMARC mitigation etc., has changed the headers?
What are you looking for in the received chain? If you just need the malicious source addresses and message-ids, those should be in the MTA log already.
The only ways I can think of in a stock Mailman to preserve the original message are (1) emergency moderation, which should catch the mail before anything is done to it, and (2) reverting the anonymous configuration to default. In case (1) you can see the headers of held messages in Postorius, or with the "mailman qfile" subcommand. The held message remains in the "in" queue until its disposition is decided, I think. If you don't find it there, look around the queues (not bad or shunt, those have a different purpose) for messages that have been there for a while. In case (2), end recipients should get the whole received chain with the original from heder.
The less disruptive way to do it involves configuring the MTA to both log the whole message to a file and send it to Mailman. To say more we'd need to know about your MTA.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan
participants (3)
-
Mark Sapiro -
Peter Chubb -
Stephen J. Turnbull