perl-devel mailing list accepts posts from subscribers only. But I found a spam messages distributed by the mailing list that claimed the From: perl-devel@lists.fedoraproject.org. See [https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org/message/QCKOVTUU7CFZRE74S4CMR576HRRDCNYM/].
Apparently the list accepts messages that claims they were sent from itself. Even If the address is not a subscriber and even if I added the address into "Banned addresses".
I cannot see a reason why the Mailman hard codes its own From: address. Please remove this unmodifiable rule.
I saw what appears to be the same issue on the test@ list.
https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org/message/KORSUGVNF5VMHXE4XSGUHUVIRZL7GFLS/
I've tested on another list and it does not accept its own list address. I'm investigating why it's doing it on those lists.
This came from a pretty bad Mailman bug: https://gitlab.com/mailman/mailman/issues/283
I have deployed a temporary hotfix on production but the proper fix is still to be written.
Login to comment on this ticket.