Bad email for requests or subscription attempts possible
I think I have a situation where someone is sending email to one of my lists request address ie (lista-requests@domain.commailto:lista-requests@domain.com) from an invalid email address (maybe spoofing the sending address). Or they may be able to trying to subscribe and entering an invalid email address on the wbesite.
So what happens is the list admins gets a bunch of bounces. What is the best way to stop this? If I add an email to the ban section for a list, will mailman drop any email or requests from them if they are spoofing as a sender or trying to subscribe?
I may have a somewhat different problem, but I was getting subscription attempts (to Mailman 2) through the web site from addresses that didn't exist. I was worried about too much "backscatter" ruining our "reputation" on services that prevent users from deciding what isn't spam.
I tried one of the recommended modifications, which was to add to /etc/mailman/mm_cfg.py the simplest possible test to the web site, to prevent "bots" from trying to sign up, which came from Defaults.py:
SUBSCRIBE_FORM_SECRET = "<sRiI8Cye0i9QpHq1yKlMMzQY>" SUBSCRIBE_FORM_MIN_TIME = seconds(10) CAPTCHAS = { 'en': [ ('What is two times six?', '(12|twelve)'), ], }
I'm not sure that the first line did any good, but the second one seems to have worked like a charm. The problem completely went away. There are fancier solutions in Defaults.py, but this one worked for me.
HOWEVER, I also had to edit /var/lib/mailman/lists/jdm-society/en/listinfo.html to add the line
<tr><td><mm-captcha-ui></td></tr> just before the row with "Your name".
Jon
On 04/14/21 21:15, Bader, Robert (Bob) wrote:
I think I have a situation where someone is sending email to one of my lists request address ie (lista-requests@domain.commailto:lista-requests@domain.com) from an invalid email address (maybe spoofing the sending address). Or they may be able to trying to subscribe and entering an invalid email address on the wbesite.
So what happens is the list admins gets a bunch of bounces. What is the best way to stop this? If I add an email to the ban section for a list, will mailman drop any email or requests from them if they are spoofing as a sender or trying to subscribe?
-- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Editor: Judgment and Decision Making (http://journal.sjdm.org)
Bader, Robert (Bob) writes:
I think I have a situation where someone is sending email to one of my lists request address ie (lista-requests@domain.commailto:lista-requests@domain.com) from an invalid email address (maybe spoofing the sending address). Or they may be able to trying to subscribe and entering an invalid email address on the wbesite.
So what happens is the list admins gets a bunch of bounces. What is the best way to stop this?
I'm sorry, but dealing with the first one is what list admins are for. Sorting these things out requires human intelligence. Banning helps, though:
If I add an email to the ban section for a list, will mailman drop any email or requests from them if they are spoofing as a sender or trying to subscribe?
I'm not sure what you're asking, so let me go into perhaps more detail than you want. Bottom Line Up Front: Banning such addresses will make your life better. I'm pretty sure it does what you want (except it can't filter out the *first* obnoxious attempt :-( ).
Mailman does not check for spoofing. In theory, the best that can be done is to check for From alignment of the domain in From with a DKIM signature, but there's no reasonable way to do it for web subscriptions. Worse, using DKIM to authenticate subscription or posting addresses is likely to cause more problems than it solves because users are very commonly posting or accessing the web from somewhere other than their nominal domain.
In principle, attempts to subscribe or post from a banned email address are discarded with extreme prejudice. For posting, you'd have to ask Mark about how this interacts with situations where some of the envelope sender, Sender field, and From field are *not* the banned address.
HTH
Steve
On 4/14/21 2:15 PM, Bader, Robert (Bob) wrote:
I think I have a situation where someone is sending email to one of my lists request address ie (lista-requests@domain.commailto:lista-requests@domain.com) from an invalid email address (maybe spoofing the sending address). Or they may be able to trying to subscribe and entering an invalid email address on the wbesite.
So what happens is the list admins gets a bunch of bounces. What is the best way to stop this? If I add an email to the ban section for a list, will mailman drop any email or requests from them if they are spoofing as a sender or trying to subscribe?
If you know the address and ban it, that will stop bounces of confirmation requests from the web subscribe CGI as the 'address is banned' response is sent back to the web browser. Also, Jon Baron's advice will help with web subscribes when you don't know what address or regexp to ban.
However, in the less likely bounces of replies to mail to the list-request address case, there's not much Mailman can do. Banning won't help as there will still be an email back to the address saying it's banned. Also, any kind of header filtering won't help as that's only for posts and mail to list-owner.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Bader, Robert (Bob)
-
Jon Baron
-
Mark Sapiro
-
Stephen J. Turnbull