[Mailman-Users] Spoofed Addresses

Brad Knowles brad at stop.mail-abuse.org
Sat Oct 30 03:13:21 CEST 2004


At 8:24 PM -0400 2004-10-29, David Relson wrote:

>  Part of asking the question was to learn whether mailman has any ability
>  to verify addresses.  I wasn't aware of anything, which doesn't mean it
>  can't be done.  Along a similar vein, I'm wondering if there are ways
>  for postfix and procmail to validate addresses.

	How would it verify the address?  By the time that Mailman gets 
the message, it's already been accepted by your MTA.

	If you need application-level authentication, you could have 
everyone encrypt their messages to a PGP key that is registered to 
the list, and then have mmreencrypt turn around and re-encrypt that 
message to all the recipients.  See 
<http://sourceforge.net/projects/mmreencrypt/>.


	There are no verification or authentication mechanisms inherent 
to Mailman, beyond checking what's in the headers (e.g., "From:", 
"Sender:", etc...) and what's used as the envelope sender, and seeing 
whether that address is allowed to post (i.e., they are a subscriber, 
or whatever).

	I guess you could set up forced moderation for all users, so that 
a human being has to take a manual action for each message in order 
to approve it.  That's not a very scalable solution, however.


	So far as I know, that's about it.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the Mailman-Users mailing list