On Wed, 01 Sep 2004 15:55:47 +0100 Nigel Metheringham Nigel.Metheringham@dev.intechnology.co.uk wrote:

On Wed, 2004-09-01 at 10:41 -0400, J C Lawrence wrote:

...

On Wed, 01 Sep 2004 11:16:05 +0100 Nigel Metheringham Nigel.Metheringham@dev.intechnology.co.uk wrote:

...

I use TMDA as a C/R system in front of all my lists and then remove all posting controls on the lists at the Mailman level. Given that the majority of list members never even try to post, this has been proven a particularly effective control.

I am wondering about switching to the Mailman members initially moderated policy, although I don't really want to increase the load on the moderators.

Quite. I implemented the TMDA system for my lists initially just to get the SPAM load off me as moderator. There's quite a relief in running a fully moderated list and getting single digit SPAM at the moderation interface per year.

Since in this case (which may be isolated or co-incidental) the address forged as the sender address is a frequent list poster, using TMDA would not seem to add much.

TMDA uses the envelope sender rather than the From: address, which successfully traps most forged spam/virus mail.

What might add something would be an option where posters get a response back on postings similar to the current message held for moderation where they have a choice of actions - post or cancel at a minimum.

Yup, and in fact TMDA can be setup to do precisely this: just configure it to not add confirmants to the whitelist and reword the confirm request message to read as a posting check.

...

I also put mimefilter (a MIME stripper) in front of the lists to remove dangerous payloads, and then auto-junk messages which end up too short (this doesn't catch much, but just enough to glad of). In 3 years of using this system or earlier variants of it I've had only 12 spam make it through the system. Not ideal, but certainly a tolerable rate.

Its recently been requested that we start allowing some MIME parts through - especially PGP signature types and patch files.

This is precisely why I use mimefilter instead of demine: it can be configured to leave specific MIME types untouched. I also wrapped mimefilter in a procmail recipe that skips the mimefilter step if a special X-header is present. In this way some MIME types can always get through, and individual members can special case specific messages to get a particular MIME construct onto the list. So far it has worked perfectly.

Loosening the current paranoid content posting policy (which is actually there because historically pipermail didn't MIME and I want the archives to be sane) is going to open the cracks wider and allow some slime to lever things open further...

Yeah, that's always the problem. As I keep telling a few people at work:

Security (and accounting for that matter) is all about making sure that people don't do things. Doing our jobs done is all about actually doing things...

-- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw@kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.