Re: spoofing test

On Sun, Dec 17, 2023 at 10:00:00AM +0200, Regina Obe wrote:

This is not Regina, but Sandro testing if Mailman will prevent spoofing

Interestingly, the header of the email as I received it via mailing
list contained such a nice looking header:

  Authentication-Results:
    spool.mail.gandi.net;
      dkim=none;
      dmarc=none;
      spf=pass (spool.mail.gandi.net: domain of "SRS0=IgYp=IG=lists.osgeo.org=sac-bounces@osgeo.org" designates 140.211.15.3 as permitted sender)
        smtp.mailfrom="SRS0=IgYp=IG=lists.osgeo.org=sac-bounces@osgeo.org"

This is basically Mailman taking responsibility of the mail it sent out.

I guess the mail should have been rejected by the OSGeo MTA due to
to SPF record for pcorp.us not listing hst.kbt.io as a valid sender.
This is clearly not happening and I've created a ticket (high priority IMHO)
for dealing with this:

  #3067 (Perform email authenticity checks before accepting them) – OSGeo

--strk;

  Libre GIS consultant/developer
  strk's services