[Mailman-Developers] before next release: disable backscatter in default installation

[Jo Rhett]

Hi.  There's a fairly simple problem here that needs to be  
addressed.  And it's mostly a documentation/install problem.  I'm  
hoping we can get this resolved before the next release.

PROBLEM: Mailman comes out of the box ready to backscatter spam people.

Yes, it's easy enough to fix.  But because it comes stock this way,  
and is documented to install this way, most people install it to do  
this.  Those of us who work in abuse departments are tired of hearing  
"well that's how Mailman works".  We also object to having to teach  
people how to fix their mailman installations because it's not  
documented in the current manual.

This is *exactly* like Sendmail 14 years ago.  We didn't accept it  
then, and Sendmail fixed the problem.

RESOLUTION: Mailman default installation should not backscatter in a  
default configuration.

1. Don't create backscatter aliases for subscribe/unsubscribe/etc by  
default.  Nearly everyone uses web based signup.

2. Discard or hold messages from non-subscribers by default.

I would think that it would be perfectly reasonable to have  
documentation on how to enable the 1980s-style -request / -subscribe  
etc aliases.  However this documentation should have a note that this  
is against the AUP of nearly every network provider, and enabling it  
will likely cause them to get listed in various blacklists as a  
backscatter source.

FYI: I know that this goes against the instincts of many old-time  
mailing list advocates here.  But after dealing with a 10k/hour  
backscatter DoS my tolerance for this problem is understandably  
limited.  Yes, it was a sweet day back in the 1980s.  I was running a  
mailing list server and several UUCP gateways at the time, so I  
remember them well.  But those days are past, and we need to deal  
with the reality of today.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness