[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Curious response
On Friday 12 December 2003 21:40, Keith Roberts wrote:
> Would it be possible to configure ezmlm to check the real
> FROM address in the email header to verify that a person is
> subscribed to this list.
> This may allow us to use FAKE addresses when sending mail to
> the list, but still allowing ezmlm to check for validity of
> subscriber's real email address???
I don't quite follow your thoughts. What do you mean with ``real
The intention of my previous message was to point out that the ez
mailing list manager uses the ``envelope From'' for verification of
the list members, which isn't displayed in the list postings. The
``header from'' is ignored, so that you can set your header from to
whatever you want.
Maybe I explained that badly the first time. Here is what SuSE self
writes about it (Source: FAQ - Frequently asked questions of the
Q2. Envelope from? Header from? All I want to do is post a
message to one of your mailing lists! Why is this so
complicated? I don't have trouble subscribing to other
A2. The header from is probably what you think of as the "from";
It is contained in DATA portion of the mail (that's the part
of the mail that you, as a user, write). The envelope from
is written by your mail transport agent, or MTA. That's the
thing that your mail client hands the message you just wrote
off to to have it delivered. An envelope is generally
represented as this in the traditional mbox format:
From foo@xxxxxxx Fri Mar 1 12:59:36 2002
If you use maildirs or some other mailbox format you probably
won't have that. Most MTAs copy the envelope from to the
Return-Path header so you can also get it from that.
This is who your MTA, in the words of RFC 822bis, says "the
author(s) of the message, that is, the mailbox(es) of the
person(s) or system(s) responsible for the writing of the
The mailing list software we use (ezmlm+idx) takes the envelope
from as the address to subscribe when you email
LISTNAME-subscribe@xxxxxxxxx Other mailing list software might
use the header from.
There are lots of good technical reasons why the envelope from
is used (which you can read all about at the author's site:
http://cr.yp.to/immhf.html) but a big benefit for you is that
since the envelope from isn't displayed in list postings and
the header from is ignored you can set your header from to be
whatever you want. This means that you can use your main email
address for the list and, if you munge the address, you won't
need to worry about it being harvested by an an evil spammer.
In other words, you are encouraged rot13, reverse, encrypt,
or do whatever to your header from (*except* leave it
unqualified) and it won't affect your subscription at all.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here