Fake Email

Dear all,
I recognize that mailman can accept a fake sender . Example, I have a maillist with only an email account (xyz (AT) abc (DOT) com) can send messages to all emails in the list. But , if someone can send a fake "From address" is xyz (AT) abc (DOT) com, mailman will delivery messages to the list . This is a security problem. Can we prevent this from happening ?
Best regards,
Huu Hien
------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

Hien HUYNH HUU writes:

Quote:

I recognize that mailman can accept a fake sender . Example, I
have a maillist with only an email account (xyz (AT) abc (DOT) com) can
send messages to all emails in the list. But , if someone can
send a fake "From address" is xyz (AT) abc (DOT) com, mailman will delivery
messages to the list . This is a security problem. Can we
prevent this from happening ?

Mailman is too far "downstream" to do this very effectively. It is
possible to set up Mailman so that all posts will be moderated except
those containing an "Approved: PASSWORD" header. This header is then
stripped from the distributed version. However, such passwords can be
leaked in various ways or sniffed from the mail in the transport
between the sender and Mailman. It's not terribly secure.

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).
------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

On Oct 31, 2009, at 1:28 AM, Stephen J. Turnbull wrote:

Quote:

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).

Or to use digital signatures for sender verification. This is not
something that Mailman currently supports.

-Barry


------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBCAAGBQJK69LHAAoJEBJutWOnSwa/+RUP/0znBnWJlWZuL0fwHtMGk1Hq
MzJuAzgORIui9qa/UkqFWUB3ISHQ+6oS0/b6+wqr7mQV1prOkVOHm3VMnaM2TA4b
a2JE+GEC3+OL+CosDnSN1vwEP7KhgFG8xCpQcfdWOJxtdnkfIq t3WXybP9Vl583M
o/5OEWcjrNwNAtiqy5Gzx+9iSpGGG8zxoYRNxTVOri9O9Z8eulUe nX/+Mm5knSXE
HANxop2JQzcKQjn8l7Q8NvKbbDmBa8B/yNv6RiwnNdTbQEHnYWUgS5hGWEfR4wJn
KWOG8DUmoSRZR0uJ5g7dDNKhF1XUDVop3YYJsa8I5sJWV1DeA0 oG48Uub4B+HoPJ
x3m/dVZCF7cxtntKJUmeOrSPkAvnBeKqLl0V0QhkXdwG4wo5WP9JxH XP86Ucq3gv
4lhCySb7yWv4zFmYbqn1Uc9xHs1QnL6PBrbVw3J+1y39FZ346Y q+v/oIQ/MeONxV
zr6huvgOAsslr7YPPVZtoNmOobYr1TcZuz5/Nqas8nQ0YwpYE7o/Z0qqUDZQClnv
Iwr4j0swOB8jWkhHNymPiQchY+57HZ8Q3MPrXLsy32ZHymBj9S XK4HQAI32tCPO4
lsQzaR6mwtRWyQ6aBFT5w+z1333eTGj3TKb1BHFG1wtr8hCZz0 0r+JEPsPAeNy4e
gcsQ3Fe56mdI8MFV+4mv
=YbMD
-----END PGP SIGNATURE-----

Barry Warsaw wrote:

Quote:

On Oct 31, 2009, at 1:28 AM, Stephen J. Turnbull wrote:

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).

Or to use digital signatures for sender verification. This is not
something that Mailman currently supports.

-Barry

I tried posting to the list several times now without success. I hope
this this one finally gets through.

Another way to deal with this is sender confirmation by email, where,
like subscriber confirmation by email, a message is sent with a
confirmation link. Mailman doesn't have this capability presently but it
seems to me that since it already has subscriber confirmation, it should
be possible to adapt that sender confirmation.

This sender confirmation by email feature is available in L-Soft's
LISTSERV, and it is an essential way to avoid fake email.

In a post a few years ago Barry said that this feature was going to be
in vers. 2.2, but that version never materialized. Will it be in vers. 3?

--
\/\/\/ Conrad Richter
/\/\/\ tibet (AT) richters (DOT) org

------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

Barry Warsaw wrote:

Quote:

On Oct 31, 2009, at 1:28 AM, Stephen J. Turnbull wrote:

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).

Or to use digital signatures for sender verification. This is not
something that Mailman currently supports.

I don't know if the patches at http://non-gnu.uvt.nl/mailman-ssls/
would be helpful here or not. It's an attempt to add some OpenPGP and
S/MIME capabilities to Mailman.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Ambition is a poor excuse for not having enough sense to be lazy.


------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQFDBAEBCAAtBQJK7F2cJhhodHRwOi8vd3d3LnBvYm94LmNvbS 9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjmM8H/0LFNicbSS8NPQxIUzTw0D318n3+yo6JGL/P
wV7heZ5ROUsotyomWM1wuqQpIzhN+k4EPatptZ4lh3GAD1XR/Y5J8jTyNYz9ENre
225c4rcNbM07/S/UB1SGJfLzWUw6P4EOJOq4HVNx+xMJPmhWVJ4Oz4r+RCv5N4JL
vvr/w+MPM3WFBH9An65qU52FCnm5IhFg410nd35DXjZMPudHJn4nVm /ctETR7Ofq
Pqkm7z6sH+edridxvCHzNVLoT4jyimwjU+wMCVwjT0SBVr3QcA RBZzWbHw+ma3CD
r0+hQg3K3ava2GZCu5G6dQUM8By5IFtVgnIRcPWePniAt3haY8 w=
=JlVp
-----END PGP SIGNATURE-----

Hi Stephen,
I can't do that because may be the sender is on another MTA and mailman server can't force they do an authentication.
Is this a weak point of Mailman ?
Best regards,
Huu Hien


________________________________________
From: Stephen J. Turnbull [stephen (AT) xemacs (DOT) org]
Sent: Saturday, October 31, 2009 12:28 PM
To: Hien HUYNH HUU
Cc: mailman-users (AT) python (DOT) org
Subject: [Mailman-Users] Fake Email

Hien HUYNH HUU writes:

Quote:

I recognize that mailman can accept a fake sender . Example, I
have a maillist with only an email account (xyz (AT) abc (DOT) com) can
send messages to all emails in the list. But , if someone can
send a fake "From address" is xyz (AT) abc (DOT) com, mailman will delivery
messages to the list . This is a security problem. Can we
prevent this from happening ?

Mailman is too far "downstream" to do this very effectively. It is
possible to set up Mailman so that all posts will be moderated except
those containing an "Approved: PASSWORD" header. This header is then
stripped from the distributed version. However, such passwords can be
leaked in various ways or sniffed from the mail in the transport
between the sender and Mailman. It's not terribly secure.

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).
------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

Hi,

HOw would you propose such verification of the authenticity of a sender be
performed in Mailman?

It's hard enough to do anyway, but as has been pointed out, it's probably
more the function of the MTA than of Mailman. The MTA can do things like
insist on client-side certificates and other such measures which may or
may not be helpful, and would have the advantage of screening out such
Emails for everyone served by the mail server, not just the mailing lists.

Geoff.

------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

Hien HUYNH HUU writes:

Quote:

Hi Stephen,
I can't do that because may be the sender is on another MTA and mailman server can't force they do an authentication.
Is this a weak point of Mailman ?

No, this is a weak point of your MTA. The MTA has all the information
needed, and in principle can force an authentication. Mailman only
knows what the MTA tells it.

Specifically, the SMTP protocol goes:

HELO # the sender MTA identifies itself
MAIL FROM # the sender MTA identifies the sender mailbox
RCPT TO # the sender MTA identifies the recipients
DATA # the sender MTA sends the message text including
# header fields
QUIT # the sender MTA hangs up, session over

Now, the receiver MTA prepends some so-called "trace header" fields,
which usually contain the HELO, MAIL FROM, and RCPT TO information in
some form, as well as timestamps and queue IDs. It may also transform
the Content-Transfer-Encoding of the body (eg, from BASE64 to 8bit or
vice versa). *Otherwise it hands Mailman exactly the same DATA that
it got.* That DATA could be the truth, it could be a lie, it could be
complete garbage. The MTA doesn't care, and Mailman has no way to
check.

It's true, as Barry says, that you could use signed messages to
authenticate, but this is not as good, for three reasons:

(1) Mailman as distributed doesn't implement this yet.
(2) 3rd party patches are available but they have not been extensively
tested. TLS facilities of MTAs are in widespread use and have
been thoroughly tested.
(3) Having Mailman do the authentication means accepting the mail at
the MTA. This opens you up to the annoyance of spam and the
danger of a denial-of-service attack (either on your bandwidth or
on your disk space).

If you really want Mailman to do the authentication, you can either
use the Approved header field, which is not very secure, or you can
use the 3rd-party patch to use public-key signatures which somebody
else mentioned. I'm pretty sure that should work OK because the
theory is straightforward, but haven't reviewed it or used it myself,
YMMV.
------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

On Nov 1, 2009, at 9:06 PM, Stephen J. Turnbull wrote:

Quote:

If you really want Mailman to do the authentication, you can either
use the Approved header field, which is not very secure, or you can
use the 3rd-party patch to use public-key signatures which somebody
else mentioned. I'm pretty sure that should work OK because the
theory is straightforward, but haven't reviewed it or used it myself,

In theory, it would also be possible for Mailman to trust
authentication information that the receiving MTA placed into the
headers. It's the same as having Mailman inspect spam headers that
some upstream-to-Mailman spam filter places into the message to
determine whether the message should reach the list membership.

-Barry


------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBCAAGBQJK7kiFAAoJEBJutWOnSwa/K5kP/0zkIBlxQu70KOJJEU3wefFK
QugIjgQ5xRriba8HvdsGkWs/l+lkSqv4NM///7qCaYe61eGvbSFIFLSpFXHQK0eJ
YnPDWcMDXD7opugzCMTcV4004VtL2ffgfvyx42An3Pe7p/3gKRMcmggBToZxlWYP
DLYC84+QMl0368uLA6UkOAQ1HnA7YLglqbanH0oaT6KXw+imHv 3zBhjuFzTdoLeF
9rLSFEJxO/MvK+EXcXoaP3xRrGTfy4FrFZkdPRxNDmHEN7w023sRQ8hlbcsK XjH3
bdnbEBF+XjPzZj2sSDwKITdTmg1nsre87q4AkMWwz18TM2wjiG sWgqokFvGXrSwk
+hCWWSiovI6DuXirApNF1LNTu81ngkgb69g7HCWupP0sbK9fMC 2TzWzIIWw4iFYj
2DfsBEpvmYvuKH9vu72a2wKF9J39XBchSrKK5ppU2C7gTXw61a tyeT8qxjTYqL5w
HjHMmNL5jPdxliM1ehafGsQGCdkJQpkSalBjk9eRykMkfPTUp6 sW9ut8ASBS6c7l
3cbD6BI+26q6YXqPZZ2c/I9wAG8UR3ugXrsH9KheSAIMS8n6c3WLCRDxyNwJofw9
DhC9aBW5hH2JAn4eTSLYm3v/x+SdTThEJ9UkUm0VLgp2UivNfeOTzMc0b/VWyTS+
asTIzLE2oOmqhZsWxh3E
=gnsE
-----END PGP SIGNATURE-----

On Oct 31, 2009, at 10:54 AM, Todd Zullinger wrote:

Quote:

I don't know if the patches at http://non-gnu.uvt.nl/mailman-ssls/
would be helpful here or not. It's an attempt to add some OpenPGP and
S/MIME capabilities to Mailman.

I'll take a closer look at some point, but I suspect they won't be
relevant to Mailman 3. OTOH, I think it would be much easier to
implement in MM3.

-Barry


------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkr6R9oACgkQ2YZpQepbvXH5FwCfWti18gKhFO DlHBFK8prMg6g8
QnAAn0L+M5zLTDloc3wrdTWgXcS9CI6h
=dkby
-----END PGP SIGNATURE-----