[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Curious response

Hello Keith

On Friday 12 December 2003 21:40, Keith Roberts wrote:

> Would it be possible to configure ezmlm to check the real
> FROM address in the email header to verify that a person is
> subscribed to this list.
> This may allow us to use FAKE addresses when sending mail to
> the list, but still allowing ezmlm to check for validity of
> subscriber's real email address???

I don't quite follow your thoughts. What do you mean with ``real 
FROM address''?

The intention of my previous message was to point out that the ez 
mailing list manager uses the ``envelope From'' for verification of 
the list members, which isn't displayed in the list postings. The 
``header from'' is ignored, so that you can set your header from to 
whatever you want.

Maybe I explained that badly the first time. Here is what SuSE self 
writes about it (Source: FAQ - Frequently asked questions of the 
test-list@xxxxxxxx list):

Q2.  Envelope from?  Header from?  All I want to do is post a
     message to one of your mailing lists!  Why is this so
     complicated?  I don't have trouble subscribing to other

A2.  The header from is probably what you think of as the "from";
        From: foo@xxxxxxx
     It is contained in DATA portion of the mail (that's the part
     of the mail that you, as a user, write).  The envelope from
     is written by your mail transport agent, or MTA.  That's the
     thing that your mail client hands the message you just wrote
     off to to have it delivered.  An envelope is generally
     represented as this in the traditional mbox format:
        From foo@xxxxxxx Fri Mar  1 12:59:36 2002
     If you use maildirs or some other mailbox format you probably
     won't have that. Most MTAs copy the envelope from to the
     Return-Path header so you can also get it from that. 
     This is who your MTA, in the words of RFC 822bis, says "the
     author(s) of the message, that is, the mailbox(es) of the
     person(s) or system(s) responsible for the writing of the
     The mailing list software we use (ezmlm+idx) takes the envelope
     from as the address to subscribe when you email
     LISTNAME-subscribe@xxxxxxxxx  Other mailing list software might
     use the header from.

     There are lots of good technical reasons why the envelope from 
     is used (which you can read all about at the author's site:
     http://cr.yp.to/immhf.html) but a big benefit for you is that
     since the envelope from isn't displayed in list postings and
     the header from is ignored you can set your header from to be
     whatever you want.  This means that you can use your main email
     address for the list and, if you munge the address, you won't
     need to worry about it being harvested by an an evil spammer.
     In other words, you are encouraged rot13, reverse, encrypt,
     or do whatever to your header from (*except* leave it
     unqualified) and it won't affect your subscription at all. 

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here