On Sun, Dec 17, 2023 at 10:00:00AM +0200, Regina Obe wrote:
This is not Regina, but Sandro testing if Mailman will prevent spoofing
Interestingly, the header of the email as I received it via mailing
list contained such a nice looking header:
Authentication-Results:
spool.mail.gandi.net;
dkim=none;
dmarc=none;
spf=pass (spool.mail.gandi.net: domain of "SRS0=IgYp=IG=lists.osgeo.org=sac-bounces@osgeo.org" designates 140.211.15.3 as permitted sender)
smtp.mailfrom="SRS0=IgYp=IG=lists.osgeo.org=sac-bounces@osgeo.org"
This is basically Mailman taking responsibility of the mail it sent out.
I guess the mail should have been rejected by the OSGeo MTA due to
to SPF record for pcorp.us not listing hst.kbt.io as a valid sender.
This is clearly not happening and I've created a ticket (high priority IMHO)
for dealing with this:
#3067 (Perform email authenticity checks before accepting them) – OSGeo
--strk;
Libre GIS consultant/developer
strk's services