On 9/30/07, Robert Braver wrote:
Wholesale bouncing of list mail to non-subscribers is totally unacceptable due to the amount of outscatter this will cause. (see http://en.wikipedia.org/wiki/Backscatter#Backscatter_of_email_spam )
Mailman is pretty resistant to generating backscatter. Yes, if configured to do so, it will generate it. But it keeps track of how often it has responded to a given address in a given period of time, and won't respond more than a set number of times in a day to a given address. This effectively limits the ability to abuse Mailman as a backscatter amplifier for a DDoS attack.
However, in some cases, even just a single instance of backscatter can get you put on a blacklist. So, you've got to weigh the relative evils of not responding at all to a potential legitimate message from a real human being, or generating potential backscatter.
It only took one list member from one of the smaller lists (which is private and not listed anywhere) who had their address book harvested by a trojan to cause about 50 spam emails a day to that list alone on an ongoing basis... so hiding the list addresses doesn't guarantee that they won't eventually leak out and get on the spam lists.
Security through obscurity never works. Ultimately, you always get found out. Usually, that ends up happening sooner rather than later. However, keeping lists private as part of a larger security scheme can be effective -- just make sure that keeping the list private isn't your only method of security.
-- Brad Knowles <brad@shub-internet.org> LinkedIn Profile: <http://tinyurl.com/y8kpxu>