Martin Hagelin wrote:

I've set up spam filtering rules in Mailman that will throw away messages that match ^X-Spam: YES in the headers. This works fine with most of the spam but messages that are sent to the *-subscribe address are accepted and not rejected.

This means that mailman sends out confirmation requests to the spammers mail address, which most often is not valid or goes to some bogus address. I'm also adding to the flow of unwanted mail messages on the net...

Is this a bug or a feature or have I gotten the things backwards?

It is a problem.

Shouldn't postings to the subscribe address be checked in the spam filter?

Mailman's spam filters are designed to prevent unwanted mail from being delivered to the list or the list owner (i.e. humans). Thus only mail to the posting address and the -owner address is processed through Mailman's SpamDetect module.

As you note above and I acknowledge, sending autoresponses and/or subscription confirmation requests to spoofed addresses is a problem. We intend to mitigate this somewhat in Mailman 2.1.10 by optionally not including the original message in autoresponses, thus not relaying the spam itself, but this doesn't affect subscription confirmations.

The real question here is why aren't you just rejecting the spam at the MTA level instead of flagging and forwarding it, and then wanting to discard it in Mailman?

-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Martin Hagelin wrote:

I've set up spam filtering rules in Mailman that will throw away messages that match ^X-Spam: YES in the headers. This works fine with most of the spam but messages that are sent to the *-subscribe address are accepted and not rejected.

This means that mailman sends out confirmation requests to the spammers mail address, which most often is not valid or goes to some bogus address. I'm also adding to the flow of unwanted mail messages on the net...

Is this a bug or a feature or have I gotten the things backwards?

It is a problem.

Shouldn't postings to the subscribe address be checked in the spam filter?

Mailman's spam filters are designed to prevent unwanted mail from being delivered to the list or the list owner (i.e. humans). Thus only mail to the posting address and the -owner address is processed through Mailman's SpamDetect module.

As you note above and I acknowledge, sending autoresponses and/or subscription confirmation requests to spoofed addresses is a problem. We intend to mitigate this somewhat in Mailman 2.1.10 by optionally not including the original message in autoresponses, thus not relaying the spam itself, but this doesn't affect subscription confirmations.

The real question here is why aren't you just rejecting the spam at the MTA level instead of flagging and forwarding it, and then wanting to discard it in Mailman?

-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan