[TriLUG] Invitation to connect on LinkedIn
Kevin Hunter
hunteke at earlham.edu
Sun Aug 28 21:00:37 EDT 2011
At 8:31pm -0400 Sun, 28 Aug 2011, Alan Porter wrote:
> I am still trying to figure out how this one got through the mailman
> filter. Normally, emails from list non-members are discarded.
Indeed. I wonder if Mailman checks the MAIL FROM: in the SMTP
handshake, or the From: header in the actual data of the message. If
it's the latter, then I too am confused. If it's the former, then if it
matched an email address in Mailman's DB, the slippage would make sense.
For example, here's a quick transcript of an SMTP session with TriLUG's
Postfix server:
-----
$ ssh trilug.org
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 pilot.trilug.org ESMTP Postfix (Ubuntu)
HELO test
250 pilot.trilug.org
MAIL FROM: mrnobody at trilug.org
250 2.1.0 Ok
RCPT TO: hunteke at trilug.org
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
To: Bogus at trilug.org
From: AnotherBogus at trilug.org
Subject: Wooot Woot
After an empty line begins the message...
And a single dot on a line ends the message:
.
250 2.0.0 Ok: queued as BD6A614A073
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
$ # And they show up in the mail log like this:
$ echo; grep mrnobody /var/log/mail.log | awk {'print $6'} | xargs -I
PATTERN grep PATTERN /var/log/mail.log
Aug 28 20:46:40 pilot postfix/smtpd[16212]: BD6A614A073:
client=localhost[127.0.0.1]
Aug 28 20:47:36 pilot postfix/cleanup[16265]: BD6A614A073:
message-id=<20110829004640.BD6A614A073 at pilot.trilug.org>
Aug 28 20:47:37 pilot postfix/qmgr[19123]: BD6A614A073:
from=<mrnobody at trilug.org>, size=437, nrcpt=1 (queue active)
Aug 28 20:47:37 pilot postfix/local[16253]: BD6A614A073:
to=<hunteke at trilug.org>, relay=local, delay=80, delays=79/0/0/0.26,
dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/deliver)
Aug 28 20:47:37 pilot postfix/qmgr[19123]: BD6A614A073: removed
-----
Note that the MAIL FROM: and RCPT TO: lines do *not* match the From: and
To: headers in the message (which can be completely made up) and I still
received that bogus email. (This is, among other things, how BCC works.)
So, without further information, that would be my best guess.
Cheers,
Kevin
More information about the TriLUG
mailing list