Hi. There's a fairly simple problem here that needs to be
addressed. And it's mostly a documentation/install problem. I'm
hoping we can get this resolved before the next release.
PROBLEM: Mailman comes out of the box ready to backscatter spam people.
Yes, it's easy enough to fix. But because it comes stock this way,
and is documented to install this way, most people install it to do
this. Those of us who work in abuse departments are tired of hearing
"well that's how Mailman works". We also object to having to teach
people how to fix their mailman installations because it's not
documented in the current manual.
This is *exactly* like Sendmail 14 years ago. We didn't accept it
then, and Sendmail fixed the problem.
RESOLUTION: Mailman default installation should not backscatter in a
default configuration.
1. Don't create backscatter aliases for subscribe/unsubscribe/etc by
default. Nearly everyone uses web based signup.
2. Discard or hold messages from non-subscribers by default.
I would think that it would be perfectly reasonable to have
documentation on how to enable the 1980s-style -request / -subscribe
etc aliases. However this documentation should have a note that this
is against the AUP of nearly every network provider, and enabling it
will likely cause them to get listed in various blacklists as a
backscatter source.
FYI: I know that this goes against the instincts of many old-time
mailing list advocates here. But after dealing with a 10k/hour
backscatter DoS my tolerance for this problem is understandably
limited. Yes, it was a sweet day back in the 1980s. I was running a
mailing list server and several UUCP gateways at the time, so I
remember them well. But those days are past, and we need to deal
with the reality of today.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
