So the problem I described last January and again mentioned last September is
still happening to me, and now to a lot more people. It will only become more
and more prevalent as viruses become more common and sites that filter them
become more common.
Perhaps I should restate the problem more simply. Mailman is committing the
basic sin of network security -- receiving data from the network and trusting
it for purposes other than as opaque data.
It is using messages posted to the list -- the content and format of which it
does not control -- to detect bouncing email addresses. Because of this it
cannot tell if the bounces it's receiving are caused by a broken email address
or caused by some particularity of the posted message.
Virus scans are only one type of bounce that could cause someone to be
unsubscribed spuriously. For example, most mail servers have a maximum message
size for example. Consider the security implications: all I have to do to mass
unsubscribe many people--even everyone--on a list is send a message over 50k.
Everyone using old versions of sendmail will be unsubscribed. A larger message
will unsubscribe anyone using most modern MTAs. Nor do the tests that require
multiple bounces protect anything; I just have to send my attack a few times
Really Mailman should simply not trust outside data for any purpose. It should
treat the bounces received from mailing list messages purely as hints. It
should then send its *own* message with content not subject to any control
from outside to the user. Only if that known inoffensive message bounces
should it consider removing the user.
This is really a DOS security issue, though the worst case attack is
unsubscribing many users of a list. That it gets triggered normally even when
not specifically under attack only makes the problem apparent.