Hello,
We have been asked by mail-abuse.org to make changes to the configuration to one of our servers. The following this their request...
-- message from mail-abuse.org ----------
Currently, when messages arrive at your mail server it runs them through SpamAssassin, which checks for spam and tags them. Your mail server then passes this tagged message to mailman.
Because it is to a -request address, mailman "knows" that these messages should contain commands. It ignores the fact that SpamAssassin has already tagged it (Subject: {Definitely Spam?}), and looks through every line looking for a "subscribe", "unsubscribe" or other command.
Of course, it doesn't find one. So, it builds up a helpful reply, sets the X-Administrivia header to yes, and appends the original message, and forwards this to the From: address.
Except that the From: address is forged, so the message, and its spam payload, get sent to an innocent third party.
Please properly configure your mailing list software to send list administrivia _only_ to a local administrator, or configure it not to send to forged From: addresses. In general, there is no need for "list administrivia" - it was an artifact of some of the original list management software. It does not serve a useful purpose today.
Actually we use administrivia in custom scripts and don't want to disable it. We even have members that still use the request commands.
Ive searched the mailman wiki as well as the mailman-users archive and have not been able to find how to configure the administrivia recipient.
Any help would be appreciated.
Thanks, Beau Barnhart Look Media
Beau Barnhart wrote:
We have been asked by mail-abuse.org to make changes to the configuration to one of our servers. The following this their request...
Actually, the request understates the problem. See below.
-- message from mail-abuse.org ----------
Currently, when messages arrive at your mail server it runs them through SpamAssassin, which checks for spam and tags them. Your mail server then passes this tagged message to mailman.
Because it is to a -request address, mailman "knows" that these messages should contain commands. It ignores the fact that SpamAssassin has already tagged it (Subject: {Definitely Spam?}), and looks through every line looking for a "subscribe", "unsubscribe" or other command.
Of course, it doesn't find one. So, it builds up a helpful reply, sets the X-Administrivia header to yes, and appends the original message, and forwards this to the From: address.
Except that the From: address is forged, so the message, and its spam payload, get sent to an innocent third party.
And, this would occur even if spamassassin/MailScanner/whatever didn't tag the subject. In fact, if the message is truly spam with a forged From:, the likelyhood that the subject contained a valid command before tagging is small. And even if it did contain a valid command, there is normally some reply from Mailman to the (forged) sender in any case.
This backscatter problem is well known, and it is a serious issue. Mailman 3 will address this to some degree.
Please properly configure your mailing list software to send list administrivia _only_ to a local administrator, or configure it not to send to forged From: addresses. In general, there is no need for "list administrivia" - it was an artifact of some of the original list management software. It does not serve a useful purpose today.
Actually we use administrivia in custom scripts and don't want to disable it. We even have members that still use the request commands.
I've searched the mailman wiki as well as the mailman-users archive and have not been able to find how to configure the administrivia recipient.
Any help would be appreciated.
There's not much you can do in Mailman 2.1.x, at least as far as configuration options go. You can disable the administrative addresses, but you say you don't want to do that. Changing the disposition of replies or their content requires code modification.
I really should implement a site option to not include original message content in auto responses. I meant to do it before now, but haven't. Maybe I can get to it for 2.1.15.
For more on this issue, see the thread "before next release: disable backscatter in default installation" beginning at <http://mail.python.org/pipermail/mailman-developers/2008-March/019804.html>.
One thing you can do is configure your MTA to not accept likely spam at SMTP time or simply discard (not reject) it if it was already accepted, or maybe do this only for Mailman recipient addresses if you don't want to do it universally. If you use MailScanner, it shouldn't be too difficult to concoct an appropriate rule set for this.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Beau Barnhart -
Mark Sapiro