Page MenuHomePhabricator

Sender email spoofing
Open, HighPublic

Description

Email were sent to a bunch of Wikimedia mailing lists specifying a forged sender address, which was accepted for delivery by the mailing list software despite the IP sending the email not being able to pass SPF check if such a check were made.

Example:

1Received: by 10.25.242.8 with SMTP id q8csp729203lfh;
2 Mon, 27 Mar 2017 12:52:57 -0700 (PDT)
3X-Received: by 10.55.51.3 with SMTP id z3mr15510936qkz.260.1490644377570;
4 Mon, 27 Mar 2017 12:52:57 -0700 (PDT)
5Return-Path: <wikiquote-l-bounces@lists.wikimedia.org>
6Received: from lists.wikimedia.org (lists.wikimedia.org. [208.80.154.75])
7 by mx.google.com with ESMTPS id u67si1450024qkh.159.2017.03.27.12.52.57
8 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
9 Mon, 27 Mar 2017 12:52:57 -0700 (PDT)
10Received-SPF: pass (google.com: domain of wikiquote-l-bounces@lists.wikimedia.org designates 208.80.154.75 as permitted sender) client-ip=208.80.154.75;
11Authentication-Results: mx.google.com;
12 dkim=pass header.i=@lists.wikimedia.org;
13 spf=pass (google.com: domain of wikiquote-l-bounces@lists.wikimedia.org designates 208.80.154.75 as permitted sender) smtp.mailfrom=wikiquote-l-bounces@lists.wikimedia.org
14DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.wikimedia.org; s=wikimedia;
15 h=Sender:Content-Type:Reply-To:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:Date:To:From; bh=kEHOha/Scy56S/LbJV1s66vl+L3OyHpJBRCB8sEBDp0=;
16 b=bHrOMD9lDIEwwXAD9eeBiE6Pa19mqjh1K+I/XTPt1TCrromq0Xpzvmc8SwBdhyDDIzNq+smvbqf1zKN0/bQMJcKkBdD0W9VD7ZcLtBl3qI9cjqS1fiExqnp5eP1v8yplv+p0hMgbw3ALWEd3OsDaQhxFwDHmO7en42uh3SxRlX0=;
17Received: from localhost ([::1]:54758 helo=fermium.wikimedia.org)
18 by fermium.wikimedia.org with esmtp (Exim 4.84_2)
19 (envelope-from <wikiquote-l-bounces@lists.wikimedia.org>)
20 id 1csahD-00023D-Fa; Mon, 27 Mar 2017 19:52:55 +0000
21Received: from [221.199.61.194] (port=28951 helo=fpwm.yandex.ru)
22 by fermium.wikimedia.org with esmtp (Exim 4.84_2)
23 (envelope-from <ktc@ktchan.info>)
24 id 1csah8-0001xj-4V; Mon, 27 Mar 2017 19:52:51 +0000
25From: "Katie Chan" <ktc@ktchan.info>
26To: "Wikimedia GLAM collaboration Public" <glam@lists.wikimedia.org>,
27 "wikisource-l" <wikisource-l@lists.wikimedia.org>, "wikiquote-l"
28 <wikiquote-l@lists.wikimedia.org>
29Date: Mon, 27 Mar 2017 14:51:16 -0500
30Message-ID: <1668507701.20170327225116@ktchan.info>
31Content-Language: en-gb
32MIME-Version: 1.0
33Subject: [Wikiquote-l] =?utf-8?q?crazy_stuff?=
34X-BeenThere: wikiquote-l@lists.wikimedia.org
35X-Mailman-Version: 2.1.18
36Precedence: list
37List-Id: Mailing list for the Wikiquote projects
38 <wikiquote-l.lists.wikimedia.org>
39List-Unsubscribe: <https://lists.wikimedia.org/mailman/options/wikiquote-l>,
40 <mailto:wikiquote-l-request@lists.wikimedia.org?subject=unsubscribe>
41List-Archive: <https://lists.wikimedia.org/pipermail/wikiquote-l/>
42List-Post: <mailto:wikiquote-l@lists.wikimedia.org>
43List-Help: <mailto:wikiquote-l-request@lists.wikimedia.org?subject=help>
44List-Subscribe: <https://lists.wikimedia.org/mailman/listinfo/wikiquote-l>,
45 <mailto:wikiquote-l-request@lists.wikimedia.org?subject=subscribe>
46Reply-To: Mailing list for the Wikiquote projects
47 <wikiquote-l@lists.wikimedia.org>
48Content-Type: multipart/mixed; boundary="===============4274199592207540311=="
49Errors-To: wikiquote-l-bounces@lists.wikimedia.org
50Sender: "Wikiquote-l" <wikiquote-l-bounces@lists.wikimedia.org>
51X-Spam-Score: 10.2 (++++++++++)
52X-Spam-Report: Spam detection software, running on the system "fermium.wikimedia.org",
53 has identified this incoming email as possible spam. The original
54 message has been attached to this so you can view it or label
55 similar future email. If you have any questions, see
56 the administrator of that system for details.
57
58 Content preview: Hello friend, I've been looking for something interesting
59 and have come across that crazy stuff, just take a look http://hncg.com.cn/quarter.php?1312
60 See you soon, Katie Chan [...]
61
62 Content analysis details: (10.2 points, 4.0 required)
63
64 pts rule name description
65 ---- ---------------------- --------------------------------------------------
66 1.3 URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist
67 [URIs: hncg.com.cn]
68 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
69 [URIs: hncg.com.cn]
70 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
71 [221.199.61.194 listed in zen.spamhaus.org]
72 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
73 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
74 [221.199.61.194 listed in bb.barracudacentral.org]
75 0.0 HTML_MESSAGE BODY: HTML included in message
76 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

Does the server or mailman do any sort of sender authentication before sending on emails using schemes such as SPF, DKIM, or DMARC as & if appropriate?

Event Timeline

KTC created this task.Mar 15 2017, 3:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2017, 3:00 PM

Hi @KTC, thanks for taking the time to report this!

See T66818: Mitigate strict DMARC policy on the mailing lists basically (which is resolved). :)

If there are specific issues to investigate, more information is welcome (potentially after turning this task into a restricted security task).

KTC added a comment.Mar 27 2017, 9:29 PM

According to the message headers, fermium.wikimedia.org received a message from 154.73.18.196 at 09:53:16 UTC 15 March 2017 for delivery to a long list of Wikimedia mailing lists specifying "Wikimedia-l" <ktc AT ktchan.info> as the sender email address.

Received: from localhost ([::1]:51778 helo=fermium.wikimedia.org)
    by fermium.wikimedia.org with esmtp (Exim 4.84_2)
    (envelope-from <wikimedia-l-bounces@lists.wikimedia.org>)
    id 1co5cN-0007Sj-Gn; Wed, 15 Mar 2017 09:53:19 +0000
Received: from [154.73.18.196] (port=35800 helo=niitd.pisem.net)
    by fermium.wikimedia.org with esmtp (Exim 4.84_2)
    (envelope-from <ktc@ktchan.info>)
    id 1co5cJ-0007Ld-3r; Wed, 15 Mar 2017 09:53:16 +0000
From: "Wikimedia-l" <ktc@ktchan.info>

The message was accepted for delivery to at least Wikimedia-l, Wikisource-l, Gendergap, and WikimediaUK-l. It was held for moderation on at lest 8 others for the reason "Message has implicit destination".

ktchan.info specify a SPF record of:

v=spf1 +a +mx +ip4:87.76.28.86 -all

It happened again today, with the target GLAM, Wikisource-l, and Wikiquote-l, plus at least 6 others implicitly.

Received: from localhost ([::1]:54738 helo=fermium.wikimedia.org)
    by fermium.wikimedia.org with esmtp (Exim 4.84_2)
    (envelope-from <glam-bounces@lists.wikimedia.org>)
    id 1csahB-00022u-Tm; Mon, 27 Mar 2017 19:52:54 +0000
Received: from [221.199.61.194] (port=28951 helo=fpwm.yandex.ru)
    by fermium.wikimedia.org with esmtp (Exim 4.84_2)
    (envelope-from <ktc@ktchan.info>)
     id 1csah8-0001xj-4V; Mon, 27 Mar 2017 19:52:51 +0000

Is there anything that could be done from WM's server end to stop this? I'll also accept suggestion for what I can do on my end.

Thanks

Nemo_bis updated the task description. (Show Details)Apr 5 2017, 9:36 AM
grin added a subscriber: grin.Apr 6 2017, 8:57 PM

Am I right to guess that we don't do (strict or else) SPF checking while we definitely should? Exim can handle SPF just fine alone, as well as spamassassin.
It's also a bit weird that we let an email to go with the flow with 10+ spam points, but maybe there are hist[oe]rical reasons...

grin added a comment.Apr 6 2017, 9:00 PM

I'll also accept suggestion for what I can do on my end.

Dropping/autorejecting email with matching header
​X-Spam-Score: .+\+\+\+\+\+
(which is above spam scrote 5.00) probably helps a lot.

KTC added a comment.Apr 7 2017, 12:22 AM

Dropping/autorejecting email with matching header
​X-Spam-Score: .+\+\+\+\+\+
(which is above spam scrote 5.00) probably helps a lot.

That's not something someone in my position can do since the email never goes through the legitimate (i.e. SPF authorised) server. It goes straight to WMF's server who send it out to list members. AFAIK, from the list members email server point of view, any SPF check will pass since it's checking WMF's mailman server.

AFAIK, from the list members email server point of view, any SPF check will pass since it's checking WMF's mailman server.

Indeed, see example (from a gmail recipient address):

Received-SPF: pass (google.com: domain of wikiquote-l-bounces@lists.wikimedia.org designates 208.80.154.75 as permitted sender) client-ip=208.80.154.75;

Do we need to install spf-tools-perl and set CHECK_RCPT_SPF=true in https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/role/templates/exim/exim4.conf.mx.erb ?
https://wiki.debian.org/Exim#SPF_filtering

grin added a comment.Apr 7 2017, 8:02 PM

Dropping/autorejecting email with matching header
​X-Spam-Score: .+\+\+\+\+\+
(which is above spam scrote 5.00) probably helps a lot.

That's not something someone in my position can do since the email never goes through the legitimate (i.e. SPF authorised) server. It goes straight to WMF's server who send it out to list members. AFAIK, from the list members email server point of view, any SPF check will pass since it's checking WMF's mailman server.

Mailman can filter on headers and act (hold, reject) on it.

grin added a comment.Apr 7 2017, 8:09 PM

AFAIK, from the list members email server point of view, any SPF check will pass since it's checking WMF's mailman server.

Indeed, see example (from a gmail recipient address):

Received-SPF: pass (google.com: domain of wikiquote-l-bounces@lists.wikimedia.org designates 208.80.154.75 as permitted sender) client-ip=208.80.154.75;

Do we need to install spf-tools-perl and set CHECK_RCPT_SPF=true in https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/role/templates/exim/exim4.conf.mx.erb ?
https://wiki.debian.org/Exim#SPF_filtering

It depends on the versions of the components and also on the load of the servers. The layman's SPF check fork an external program and for a really busy server you may not want to do it and may choose spamassassin to handle it since it can be on a (or indeed many) remote server. I fabricate mailservers for a living so I may be a useful (though a bit low availability) resource to use. (Admittedly I am lazy to even check where the mail architecture is described, but if anyone points me to the specific info I'd read it and offer my opinions. I'm using multiple SA with redis and postgres backends, multiple clamav backends and exim with various levels of rate limits and rejections in SMTP time.)

We should definitely reject emails failing SPF. Much less forward that to mailing lists
(forwarding to list owners might be acceptable, although I wouldn't recommend that, as 99.999% will be spam).

T160529 + T133191 would probably solve T127247, once deployed on all mail exchanges.

grin added a comment.Apr 8 2017, 9:51 PM

@Nemo_bis uh, these servers are basically idle. Any SPF checking may be okay, fork or otherwise.

Thanks for the links, I'll take to browse them. (I am not a puppet guy so that takes a bit longer, but its syntax seems plain enough.)
Some brief observation:

  • demime=* has been obsoleted for a while, depends on exim version
  • SARE (for spamassassin) has been (though unofficially) deprecated in 2009 and, quote: "The SARE rules are broken to the point of being harmful. Do not use them." Unfortunately I cannot offer a good alternative, but considering the wiki mentioned design principle "better let spam through than break things" it's probably oughtn't be used anymore. Disclaimer: This advice is not always followed by myself, depend on how anal I want the spam filtering to be.
  • possibly all the TLS stuff has or will be replaced by letsencrypt and the wiki could be updated

@Platonides unfortunately you have referenced restricted tasks so I cannot even see what their topic is. I possibly don't need to know it, so it's just a sidenote. ;-)

fgiunchedi triaged this task as Normal priority.Apr 12 2017, 7:59 AM
Tgr added a subscriber: Tgr.

This seems like a pretty dangerous spear phishing vector when used by a skilled attacker.

jayvdb added a subscriber: jayvdb.Apr 24 2017, 3:29 AM
Jay8g added a subscriber: Jay8g.Apr 24 2017, 5:29 AM
KTC raised the priority of this task from Normal to High.Apr 26 2017, 11:08 AM

And x2 again today. This is getting ridiculous.

KTC added a subscriber: Fae.Apr 26 2017, 11:52 AM
revi added a subscriber: revi.Apr 26 2017, 12:26 PM
Liuxinyu970226 added a comment.EditedApr 26 2017, 12:50 PM

And x2 again today. This is getting ridiculous.

Hello @KTC, as setting priorities should always reflect reality, not just cause it, would you please explain that why you believe that someone is working on this task soon?

Fae awarded a token.Apr 26 2017, 1:39 PM
Fae added a comment.Apr 26 2017, 1:43 PM

I have no idea if the same person is behind this, or it's just a bit of haphazard pointy trolling, but this seems far too easy to disrupt email lists with cross-posted spam:
https://lists.wikimedia.org/pipermail/gendergap/2017-April/006589.html
Example from today, directed at me.

Jgreen added a subscriber: Jgreen.Apr 26 2017, 4:15 PM

Mailman can filter on headers and act (hold, reject) on it.

There's an explanation of how to do this per-list here: https://wikitech.wikimedia.org/wiki/Mailman#Spam_scores -- and a discussion of why we haven't done this globally here: T58525

As a bit of a temporary solution, I've added a hold rule on wikimedia-l for X-Spam-Score:[^+]*[+]{4,}. cc other list admins @Austin, @Ijon , @Esh77 . We may need to increase that 4 to a higher number if the false positives are too high, or abandon hope if false positives are still too high when we reach 10.

jayvdb added a comment.May 3 2017, 5:49 AM

Ugh, the problem is not false positives, but that rule is increasing the amount of spam seen by list moderators. Presumably, somewhere, previously spam was getting discarded. Now it is getting held.
Since activating the rule, 3 hours ago. 5 spam messages have been sent to the moderation queue. These are of a type that we never normally need to see (e.g. three from %@%.date and one from %@%.review, two domains I've just now learnt existed, and immediately wish didnt exist).

revi added a comment.May 3 2017, 6:11 AM

From my experience combating spam on wikinews-l, I believe those with spam score +4 or above are usually safe to discard. (List is otherwise low traffic, so I can't guarantee about low false positives.)

Spam filtering based on X-Spam-Score is best discussed on T161082 IMHO (we need a global solution).

Another example (this one is probably a compromised mailbox contact list, rather than archive scraping): P5430

jayvdb added a comment.EditedMay 13 2017, 6:03 AM

Another one occurred just now on wikimania-l, gendergap and wikiquote-l, again targeting Katie ;-(

The rules I am using on wikimedia-l to prevent this are causing a lot of work for the list admins. Please can we get a proper solution soon.

Az1568 added a subscriber: Az1568.May 14 2017, 2:55 AM
NickK added a subscriber: NickK.May 22 2017, 10:00 AM

This happened again today, this time targeting checkuser-l and another user (will not disclose username here but one thing in common is that this user also uses mail on their own server). It is somewhat disturbing to receive spam on a non-public mailing list

This happened again today, this time targeting checkuser-l and another user (will not disclose username here but one thing in common is that this user also uses mail on their own server). It is somewhat disturbing to receive spam on a non-public mailing list

And also on stewards-l, same user, different content. I support the opinion of NickK. It is important that this is resolved soon...

Please can we get a proper solution soon.

Would that be T160529#3164928 or what would be "a proper solution"? (Trying to clarify)

herron added a subscriber: herron.Jun 6 2017, 8:37 PM
herron claimed this task.Jun 6 2017, 8:57 PM
herron moved this task from Backlog to In Progress on the Mail board.Jun 7 2017, 2:42 PM
-jem- added a subscriber: -jem-.Jun 20 2017, 10:17 PM
Racso added a subscriber: Racso.Jun 21 2017, 1:17 AM
Racso added a comment.Jun 21 2017, 1:32 AM

Hello there. Today, I found that some e-mails that arrived to the wikimedia-co list may be related to this issue. All of them come from the -owner addresses of other Wikimedia lists, and some of them even imply that other lists have received messages from the wikimedia-co list itself.

A couple examples:

> Received: from localhost ([::1]:37766 helo=fermium.wikimedia.org)
> 	by fermium.wikimedia.org with esmtp (Exim 4.84_2)
> 	(envelope-from <wikimedia-l-bounces@lists.wikimedia.org>)
> 	id 1dN86L-000752-56
> 	for wikimedia-co@lists.wikimedia.org; Tue, 20 Jun 2017 01:37:05 +0000
> Subject: =?utf-8?q?=5BWe=5D_NF-e_LQNIH793052_=28Evelyn_e_Financeiro_E_R_L?=
>  =?utf-8?q?tda=29?=
> From: wikimedia-l-owner@lists.wikimedia.org
> To: wikimedia-co@lists.wikimedia.org
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="===============5680826425501144704=="
> Message-ID: <mailman.1312088.1497922620.30487.wikimedia-l@lists.wikimedia.org>
> Date: Tue, 20 Jun 2017 01:37:00 +0000
> Precedence: bulk
> X-BeenThere: wikimedia-l@lists.wikimedia.org
> X-Mailman-Version: 2.1.18
> List-Id: Wikimedia Mailing List <wikimedia-l.lists.wikimedia.org>
> X-List-Administrivia: yes
> Errors-To: wikimedia-l-bounces@lists.wikimedia.org
> Sender: "Wikimedia-l" <wikimedia-l-bounces@lists.wikimedia.org>

That spam apparently comes from the wikimedia-l list. On the other hand, check this one out:

Received: from localhost ([::1]:38396 helo=fermium.wikimedia.org)
	by fermium.wikimedia.org with esmtp (Exim 4.84_2)
	(envelope-from <wikimedia-gh-bounces@lists.wikimedia.org>)
	id 1dN8JU-0001Fh-0F
	for wikimedia-co@lists.wikimedia.org; Tue, 20 Jun 2017 01:50:40 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Subject: =?utf-8?q?Your_message_to_Wikimedia-GH_awaits_moderator_approval?=
From: wikimedia-gh-owner@lists.wikimedia.org
To: wikimedia-co@lists.wikimedia.org
Message-ID: <mailman.1312146.1497923438.30487.wikimedia-gh@lists.wikimedia.org>
Date: Tue, 20 Jun 2017 01:50:38 +0000
Precedence: bulk
X-BeenThere: wikimedia-gh@lists.wikimedia.org
X-Mailman-Version: 2.1.18
List-Id: Wikimedia Ghana User Group <wikimedia-gh.lists.wikimedia.org>
X-List-Administrivia: yes
Errors-To: wikimedia-gh-bounces@lists.wikimedia.org
Sender: "Wikimedia-GH" <wikimedia-gh-bounces@lists.wikimedia.org

This one's content is:

Your mail to 'Wikimedia-GH' with the subject

    [We] NF-e LQNIH793052 (Evelyn e Financeiro E R Ltda)

Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list

This implies that the wikimedia-gh list received this spam from the wikimedia-co list.

So i guess someone is sending spam subject lines to wikimedia-gh, with a forged from address of wikimedia-co@lists.wikimedia.org, in order for the mailing list software to resend the spam in the form of a pending moderation message. That's a really cute trick.

herron added a subtask: Restricted Task.Jul 6 2017, 6:48 PM

@Pine: Please provide the message headers of one of these messages - unfortunately the archive at https://lists.wikimedia.org/pipermail/education/2018-September.txt.gz does not include them.

Pine added a comment.EditedSep 26 2018, 3:29 AM

For this email:

Received: from localhost ([::1]:54186 helo=fermium.wikimedia.org) by fermium.wikimedia.org with esmtp (Exim 4.84_2) (envelope-from <education-bounces@lists.wikimedia.org>) id 1g2USD-0001ZW-Gh; Wed, 19 Sep 2018 04:51:11 +0000
Received: from o1.2e.shared.sendgrid.net ([167.89.100.140]:22977) by fermium.wikimedia.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <bounces+1797473-a07b-education=lists.wikimedia.org@em5263.binstala.com.mx>) id 1g2US8-0001Z1-L8 for education@lists.wikimedia.org; Wed, 19 Sep 2018 04:51:07 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
  d=binstala.com.mx; h=from:to:subject:mime-version:content-type;
  s=s1; bh=srF3XPZTs+4d/OD/F0UujpqQv04=; b=dECVVEpETIh/jlgWv0dYuPI 2mg+61fHaWFJmQsL4WvyI8s5susXQVBsT9TIE+AgfqsbU72rWca3U7Yc/IElnsXI QdyZZm+1R/xf14h4VDo2Jb/PZSrUM0oRCRnLllwfFu8xOcsXMDgB1pchyc/ciyR2 Vvd37FumFKsa0SbBeg0w=
Received: by filter0064p3las1.sendgrid.net with SMTP id filter0064p3las1-28761-5BA1D5B6-11 2018-09-19 04:51:02.439527314 +0000 UTC m=+76873.541454894
Received: from 10.4.5.65 (host-181-199-31-74.ecua.net.ec [181.199.31.74]) by ismtpd0027p1mdw1.sendgrid.net (SG) with ESMTP id 0UqQvUbASpiPai96B5-i2A for <education@lists.wikimedia.org>; Wed, 19 Sep 2018 04:51:01.864 +0000 (UTC)
Date: Wed, 19 Sep 2018 04:51:03 +0000 (UTC)
From: "MCANDREW Ewan <Ewan.McAndrew@ed.ac.uk>" <karla.carrillo@binstala.com.mx>
To: education@lists.wikimedia.org
Message-ID: <3685427063847420425.A043CF8458F335FF@lists.wikimedia.org>
MIME-Version: 1.0
X-SG-EID: g+GBLqw9MVVW4y5eJAYzxGVPCdgepljsk/nQuhGVG1fXk1kiDqdbhJ4SGG6at9ydsw6zzC4rFZlUSG vryQhN7y7UlC6Ey81fRkhVqHHRriqXwudHLrDwD/hYIDEqK/rydahm/50RmNPxNWxHoxUMCuEWi+qr bJNfkG4Kw25/n/bk4qjLkiFv0TOtf1GtVMLpI4WefNcI9XQX2QO8ZeSToSx7V4F4y1cftj0MsQuW0h kG7eAFsynd7nJK+hcHkjaLprLDTGD7gX91OTIslNyP2KSSH6sV1BmTkO8sOgmEckI=
X-Content-Filtered-By: Mailman/MimeDel 2.1.18
Subject: [Wikimedia Education] MCANDREW Ewan Invoice # 7646592
X-BeenThere: education@lists.wikimedia.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Wikimedia Education <education.lists.wikimedia.org>
List-Unsubscribe: <https://lists.wikimedia.org/mailman/options/education>, <mailto:education-request@lists.wikimedia.org?subject=unsubscribe>
List-Archive: <https://lists.wikimedia.org/pipermail/education/>
List-Post: <mailto:education@lists.wikimedia.org>
List-Help: <mailto:education-request@lists.wikimedia.org?subject=help>
List-Subscribe: <https://lists.wikimedia.org/mailman/listinfo/education>, <mailto:education-request@lists.wikimedia.org?subject=subscribe>
Reply-To: Wikimedia Education <education@lists.wikimedia.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: education-bounces@lists.wikimedia.org
Sender: Education <education-bounces@lists.wikimedia.org>

For this email:

Received: from localhost ([::1]:46934 helo=fermium.wikimedia.org) by fermium.wikimedia.org with esmtp (Exim 4.84_2) (envelope-from <education-bounces@lists.wikimedia.org>) id 1fzd7H-00040I-DD; Tue, 11 Sep 2018 07:29:43 +0000
Received: from lex.balt.net ([217.117.28.48]:53332 helo=pastas.balt.net) by fermium.wikimedia.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <info@litwestlumber.com>) id 1fzd7C-0003zv-Il for education@lists.wikimedia.org; Tue, 11 Sep 2018 07:29:40 +0000
Received: from 10.4.30.7 (unknown [177.226.252.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: info@litwestlumber.com) by pastas.balt.net (Postfix) with ESMTPSA id 94CAC1EAFD for <education@lists.wikimedia.org>; Tue, 11 Sep 2018 10:29:33 +0300 (EEST)
Date: Tue, 11 Sep 2018 02:29:39 -0600
From: "MCANDREW Ewan <Ewan.McAndrew@ed.ac.uk>" <info@litwestlumber.com>
To: education@lists.wikimedia.org
Message-ID: <17689245402176419449.87FE76AAE23A1A47@lists.wikimedia.org>
MIME-Version: 1.0
X-Virus-Scanned: clamav-milter 0.99.4 at neptunas3.balt.net
X-Virus-Status: Clean
X-Content-Filtered-By: Mailman/MimeDel 2.1.18
Subject: [Wikimedia Education] MCANDREW Ewan Merchandise: receipt #6899
X-BeenThere: education@lists.wikimedia.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Wikimedia Education <education.lists.wikimedia.org>
List-Unsubscribe: <https://lists.wikimedia.org/mailman/options/education>, <mailto:education-request@lists.wikimedia.org?subject=unsubscribe>
List-Archive: <https://lists.wikimedia.org/pipermail/education/>
List-Post: <mailto:education@lists.wikimedia.org>
List-Help: <mailto:education-request@lists.wikimedia.org?subject=help>
List-Subscribe: <https://lists.wikimedia.org/mailman/listinfo/education>, <mailto:education-request@lists.wikimedia.org?subject=subscribe>
Reply-To: Wikimedia Education <education@lists.wikimedia.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: education-bounces@lists.wikimedia.org
Sender: Education <education-bounces@lists.wikimedia.org>

Huh.

So the from headers aren't being spoofed. Only the human readable name is misleading.

So if this is a list that only allows posting by members, and info@litwestlumber.com / karla.carrillo@binstala.com.mx are not members, then this would indicate some sort of bug in mailman i guess?

I guess the first question would be, are info@litwestlumber.com & karla.carrillo@binstala.com.mx listed as members of the education list?

Tgr added a comment.Sep 26 2018, 4:31 PM

Based on mailman-users posts like this and this, mailman accepts an email if any of the addresses returned by get_senders() matches the membership list. That includes (by default, configurable via SENDER_HEADERS) the From header, the SMTP enveloper sender, the Reply-To: header and the Sender: header. Is it possible that the email contained a whitelisted Reply-To: or Sender: address (which would not be visible by list members since mailman replaces those with its own address)?

Pine added a comment.Sep 27 2018, 4:31 AM

I sent an email to the Education list admins to request that they comment in this ticket in response to the questions above.