Re: Limited DoS in mailman (requires non standard config)

[Kurt Seifried <kseifried () redhat com>]

CentOS 6.6 with mailman-2.1.12-18.el6.x86_64

Which is.. ergh. I did not realize how old this is.

On 04/28/2015 11:50 AM, Mark Sapiro wrote:
> On 04/28/2015 10:04 AM, Kurt Seifried wrote:
> > So I recently ran into a flaw in mailman where I had imported a text
> > list of email addresses of people that wanted to sign up. It turns out
> > one of the addresses was in the form "user () domain tld/random", not sure
> > how that snuck in but anyways. When sending email to this list it fails
> > due to that address being present:
>
>
> What Mailman version is this?
>
> I don't think any recent version would add that address to a list
> regardless of how it was attempted to be added.
>
>
> > from mailman posts log:
> >
> > Apr 28 16:46:23 2015 (29704) post to testing from testing-request@XXX,
> > size=1786, message-id=<mailman.0.1430239582.16535.testing@XXX>, 1 failures
> >
> > from smtp-failure log:
> >
> > smtp-failure:Apr 28 16:46:44 2015 (29704) All recipients refused:
> > {'kurt () seifried org/foo': (501, '5.1.3 Bad recipient address syntax')},
> > msgid: <CAEo5KB7F3LNCv7Q09ppqBRgUZTaGizyRHx1WS81w8K7S8Yhk7A@YYY>
>
>
> And I think the only address refused was the one kurt () seifried org/foo
> address. The 'All recipients refused:' refers to all recipients in that
> SMTP transaction, not necessarily every list member.
>
> What does your MTA log say about this delivery? And what does Mailman's
> 'smtp' log say?

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature