My mail server has been blacklisted by several major e-mail providers because of backscatter spam generated by my Mailman installation:
(1) Spammers harvest the "listname-request@domain.com" address from a
public Web page (presumably the Mailman admin page).
(2) Spam with forged "From:" headers is sent to "listname-request@domain.com".
(3) Mailman sends "subscribe confirmation" messages to the addressees in the forged "From" fields.
How can I stop this? I am willing to give up "subscribe to this list by e-mail", and require all subscriptions to be via the Web.
I used to use, and manage, mailing lists that handled all subscribe and unsubscribe requests by e-mail. But now almost all genuine subscription requests to my lists are made through the Web interface.
(I also used to run e-mail auto-responders, for example to send an FAQ in response to any e-mail message sent to a special e-mail address. I have stopped them all, for similar reasons -- they were attracting spam with forged "from" addresses, thus generating spam to those "from" addresses.)
I have found several discussions of variants of this issue on this list, going back at least 10 years. But so far as I can tell, there is not yet a simple option in the Web admin (or a config file) for each Mailman list, "Accept subscription requests by e-mail? Yes/No".
I understand that this may take time to implement, but this problem has been known for a very long time. I would like to see this put on the feature request list, however that is done. In the meantime, I need a workaround if I am to continue using Mailman at all.
I would still prefer to have e-mail confirmation of new subscriptions, but I don't think that would cause as much of a backscatter problem: The "-request" address can be harvested form the public Web, but the "-confirm" address would be much less likely to do so.
But if it is simpler to implement, it would be OK to require new subscriptions to be confirmed through the Web interface.
Temporarily, I have completely disabled the list that was attracting spam to its "-request" address. This isn't a viable long-term option.
Is there any workaround, either through the Web interface or by editing Mailman configuration files, to disable the "-request" address or cause all mail to that address to be dropped without generating a reply?
FWIW, I am using Mailman through Plesk, which offers it as an option. Plesk knows that "-request" is already in use by Mailman, and won't let me create that address or alias or manage it except through Mailman.
Thanks in advance for any advice you can offer,
Edward Hasbrouck
Edward Hasbrouck <edward@hasbrouck.org> <https://hasbrouck.org> <https://twitter.com/ehasbrouck> +1-415-824-0214
"The Practical Nomad: How to Travel Around the World" (5th ed., 2011) <https://hasbrouck.org/PN>
Consultant to The Identity Project: <https://papersplease.org>
GnuPG/PGP public key: <https://hasbrouck.org/ehasbrouck.asc> fingerprint: 0B0B 8F74 CEA3 83AB 97B3 F6AF BB7E F636 165C 22F5