From owner-freebsd-security@FreeBSD.ORG  Thu Apr 21 17:04:26 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3AD3C106566B
	for <freebsd-security@freebsd.org>;
	Thu, 21 Apr 2011 17:04:26 +0000 (UTC)
	(envelope-from gpalmer@freebsd.org)
Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 09DE58FC1C
	for <freebsd-security@freebsd.org>;
	Thu, 21 Apr 2011 17:04:26 +0000 (UTC)
Received: from gjp by noop.in-addr.com with local (Exim 4.74 (FreeBSD))
	(envelope-from <gpalmer@freebsd.org>)
	id 1QCxIm-0000aw-8n; Thu, 21 Apr 2011 13:04:24 -0400
Date: Thu, 21 Apr 2011 13:04:24 -0400
From: Gary Palmer <gpalmer@freebsd.org>
To: Paul Blazejowski <paulb@blazebox.homeip.net>,
	Robert Simmons <rsimmons0@gmail.com>,
	freebsd-security <freebsd-security@freebsd.org>
Message-ID: <20110421170424.GC73035@in-addr.com>
References: <BANLkTi=MhGVSBhb52PCop+o-75iT3FA6oA@mail.gmail.com>
	<20110420212354.GB73035@in-addr.com>
	<20110421042639.GB91477@DataIX.net>
	<BANLkTi=vAK9LU=PQ0gULuPu4rQ7eRXL1bw@mail.gmail.com>
	<1303360894.3063.1.camel@blaze.homeip.net>
	<20110421123447.GD4543@straylight.ringlet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20110421123447.GD4543@straylight.ringlet.net>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: gpalmer@freebsd.org
X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false
Cc: 
Subject: Re: bad email address
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2011 17:04:26 -0000

On Thu, Apr 21, 2011 at 03:34:47PM +0300, Peter Pentchev wrote:
> On Thu, Apr 21, 2011 at 12:41:34AM -0400, Paul Blazejowski wrote:
> > doesn't mailman unsubscribe an email automatically after a couple of
> > bounces? unless freebsd list is not configured to do so...
> 
> That's only if the bounce message reaches mailman.  In this case,
> the culprit is a mail bouncing agent (MBA? ;) which addresses
> the bounce to the original sender (the one from the From header)
> instead of *any* of the other possible addresses present in
> mailman-generated messages that would do the right thing.

RFCs say bounces have to go to the envelope sender.  MailMan correctly
changes the envelope sender of mail to freebsd-security to
owner-freebsd-security@freebsd.org so that it can see the NDRs (non-delivery
reports).  However some broken software boucnes to the From address in
the header.  Since the From address in the header is *not* MailMan it cannot
auto-unsubscribe the bouncing user.

If the bouncing users MTA/MUA doesn't follow specifications there isn't
a lot MailMan can do

Anyway, back to your scheduled discussion of FreeBSD security issues

Gary