Challenge/response
I have a client who is concerned about his list subscriber addresses being spoofed. In other words someone who knows the addresses of people on the list can set up a mail server and spoof the subscriber so he can post nasty things to the list. He would like to set up a challenge/response mechanism so that when xyz@domain.com posts to the list, xyz@domain.com gets sent a copy of the message and must confirm that he/she was the sender before it gets posted. I don¹t see any configuration in Mailman for this. Is it possible?
BTW, searching the archives at mail-arcihve.com gets a 404 error.
On 2/8/07, Bob Morse <bob@morsemedia.net> wrote:
I have a client who is concerned about his list subscriber addresses being spoofed. In other words someone who knows the addresses of people on the list can set up a mail server and spoof the subscriber so he can post nasty things to the list. He would like to set up a challenge/response mechanism so that when xyz@domain.com posts to the list, xyz@domain.com gets sent a copy of the message and must confirm that he/she was the sender before it gets posted. I don¹t see any configuration in Mailman for this. Is it possible?
So far as I know, this isn't possible in Mailman. You'd have to modify the code.. If you think you're up to it, other folk should be able to give you some pointers as to the best way to do this.
--
- Patrick Bogen
Bob Morse wrote:
BTW, searching the archives at mail-arcihve.com gets a 404 error.
I see that too, but that is a www.mail-archive.com issue. We can't do anything about it.
See <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.018.htp> for info on searching <http://mail.python.org/pipermail/mailman-users/> with Google.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
At 1:40 PM -0800 2/8/07, Bob Morse wrote:
He would like to set up a challenge/response mechanismso that when xyz@domain.com posts to the list, xyz@domain.com gets sent a copy of the message and must confirm that he/she was the sender before it gets posted. I don't see any configuration in Mailman for this. Is it possible?
Challenge/response is one of the most vile inventions that has ever been applied to the concept of Internet e-mail. I would violently oppose any integration of such features into any project I was involved with.
At the very least, you would have to be very, very careful how such a system was created, so as to avoid the problem where the "cure" is far worse than any possible disease that you might have.
-- Brad Knowles <brad@shub-internet.org>, Consultant & Author Co-author of SAGE Booklet #15 "Internet Postmaster: Duties and Responsibilities" Founding Member and Platinum Individual Sponsor of LOPSA: <http://www.lopsa.org> Papers: <http://tinyurl.com/tj6q4> LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Quoting Brad Knowles (brad@shub-internet.org):
At 1:40 PM -0800 2/8/07, Bob Morse wrote:
He would like to set up a challenge/response mechanismso that when xyz@domain.com posts to the list, xyz@domain.com gets sent a copy of the message and must confirm that he/she was the sender before it gets posted. I don't see any configuration in Mailman for this. Is it possible?
Challenge/response is one of the most vile inventions that has ever been applied to the concept of Internet e-mail. I would violently oppose any integration of such features into any project I was involved with.
Somebody should integrate PGP signing into Mailman (as an option) so that you could set it up so when you subscribe to a list you give it your public key, and you can't post to the list unless the message is PGP signed by that key.
<rant> Digital signatures on email is something that is extremely overdue. PGP signatures have been grafted on in a half-assed way, but someday either no mail will travel unless it's been correctly signed or email will disappear as a viable means of communication because of the spam problem. </rant>
-- Paul Tomblin <ptomblin@xcski.com> http://blog.xcski.com/ "Belligerent Design: The theory that life was put on this planet by an external sentient force just to piss me off." - Lore Brand Comics
Brad Knowles writes:
Challenge/response is one of the most vile inventions that has ever been applied to the concept of Internet e-mail.
*chuckle*
I wouldn't go so far, since the spam that evoked it is far worse, but I'm steadfastly opposed to challenge-response.
If you absolutely *must* do this thing, be prepared to get violent responses and to lose mail from people that you'd really like to get mail from.
Now that you're properly warned, I believe that there is a description of how to integrate TMDA, a popular Python-based challenge-response system, into Mailman in the Mailman FAQ wizard. If not, I suppose there would be one on the TMDA home page.
I have a client who is concerned about his list subscriber addresses being spoofed. In other words someone who knows the addresses of people on the list can set up a mail server and spoof the subscriber so he can post nasty things to the list. He would like to set up a challenge/response mechanism so that when xyz@domain.com posts to the list, xyz@domain.com gets sent a copy of the message and must confirm that he/she was the sender before it gets posted. I don¹t see any configuration in Mailman for this. Is it possible?
Challenge-response is a well-known spam relay issue, and very undesirable. Mailman privacy options allow you to force moderation of mail purportedly coming from specific addresses You should also investigate methods using your MTA or adding a filter to the mailman address input, and not even think about challenge-response.
Hank
Bob Morse wrote:
I have a client who is concerned about his list subscriber addresses being spoofed. In other words someone who knows the addresses of people on the list can set up a mail server and spoof the subscriber so he can post nasty things to the list. He would like to set up a challenge/response mechanism so that when xyz@domain.com posts to the list, xyz@domain.com gets sent a copy of the message and must confirm that he/she was the sender before it gets posted. I don¹t see any configuration in Mailman for this. Is it possible?
BTW, searching the archives at mail-arcihve.com gets a 404 error.
Realize that should you implement Challenge/Response, your server WILL be blacklisted by various DNSBLs out there. Backscatter is indistinguishable from spam to spamtraps.
-- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: positron router malfunction
participants (8)
-
Bob Morse -
Brad Knowles -
Jay Chandler -
Mark Sapiro -
Patrick Bogen -
Paul Tomblin -
Stephen J. Turnbull -
vancleef@lostwells.net