perl-devel mailing list accepts posts from subscribers only. But I found a spam messages distributed by the mailing list that claimed the From: firstname.lastname@example.org. See [https://email@example.com/message/QCKOVTUU7CFZRE74S4CMR576HRRDCNYM/].
Apparently the list accepts messages that claims they were sent from itself. Even If the address is not a subscriber and even if I added the address into "Banned addresses".
I cannot see a reason why the Mailman hard codes its own From: address. Please remove this unmodifiable rule.
I saw what appears to be the same issue on the test@ list.
I've tested on another list and it does not accept its own list address. I'm investigating why it's doing it on those lists.
This came from a pretty bad Mailman bug: https://gitlab.com/mailman/mailman/issues/283
I have deployed a temporary hotfix on production but the proper fix is still to be written.
to comment on this ticket.