Re: [Mailman-Users] Fake Email
Barry Warsaw wrote:
On Oct 31, 2009, at 1:28 AM, Stephen J. Turnbull wrote:
A better way to do this would be to set up the MTA on Mailman's host to only deliver to the list address (ie, Mailman) if the sender has been authenticated (eg, with TLS).
Or to use digital signatures for sender verification. This is not something that Mailman currently supports.
-Barry
Another way to deal with this is sender confirmation by email, where, like subscriber confirmation by email, a message is sent with a confirmation link. Mailman doesn't have this capability presently but it seems to me that since it already has subscriber confirmation, it should be possible to adapt that sender confirmation.
This sender confirmation by email feature is available in L-Soft's LISTSERV, and it is an essential way to avoid fake email.
In a post a few years ago Barry said that this feature was going to be in vers. 2.2, but that version never materialized. Will it be in vers. 3?
Conrad Richter wrote:
Another way to deal with this is sender confirmation by email, where, like subscriber confirmation by email, a message is sent with a confirmation link. Mailman doesn't have this capability presently but it seems to me that since it already has subscriber confirmation, it should be possible to adapt that sender confirmation.
Do you really think it's a good idea to require every post to be confirmed? Note that since Mailman is downstream of the MTA, it doesn't have direct access to the sender's IP, so IPs can't be whitelisted.
Also, it is just another way to enable your server to be a source of Joe Jobs.
On Oct 31, 2009, at 12:47 PM, Conrad Richter wrote:
Another way to deal with this is sender confirmation by email, where, like subscriber confirmation by email, a message is sent with a confirmation link. Mailman doesn't have this capability presently
but it seems to me that since it already has subscriber confirmation, it
should be possible to adapt that sender confirmation.This sender confirmation by email feature is available in L-Soft's LISTSERV, and it is an essential way to avoid fake email.
In a post a few years ago Barry said that this feature was going to be in vers. 2.2, but that version never materialized. Will it be in
vers. 3?
Sort of. What I was talking about was using mail-back confirmation as
an option for allowing postings from email addresses that Mailman has
never seen before (i.e. non-validated). The confirmation message
would be a sort of on-demand validation that would optionally be
enough to allow that email address to post to the list. It still
doesn't solve any of the authentication problems with those email
addresses.
-Barry
Again about this issue , Please guide me how to configure Approve Header for email policy ? And I wonder If using Microsoft Outlook or Outlook Express to send mail to list , can user set header for him ? Rgds, Huu Hien
-----Original Message----- From: mailman-users-bounces+hien.hh=sbsc.com.vn@python.org [mailto:mailman-users-bounces+hien.hh=sbsc.com.vn@python.org] On Behalf Of Barry Warsaw Sent: Wednesday, November 11, 2009 12:15 PM To: Conrad Richter Cc: Mailman-Users@python.org Subject: Re: [Mailman-Users] Fake Email
On Oct 31, 2009, at 12:47 PM, Conrad Richter wrote:
Another way to deal with this is sender confirmation by email, where, like subscriber confirmation by email, a message is sent with a confirmation link. Mailman doesn't have this capability presently but it seems to me that since it already has subscriber confirmation, it should be possible to adapt that sender confirmation.
This sender confirmation by email feature is available in L-Soft's LISTSERV, and it is an essential way to avoid fake email.
In a post a few years ago Barry said that this feature was going to be in vers. 2.2, but that version never materialized. Will it be in vers. 3?
Sort of. What I was talking about was using mail-back confirmation as an option for allowing postings from email addresses that Mailman has never seen before (i.e. non-validated). The confirmation message would be a sort of on-demand validation that would optionally be enough to allow that email address to post to the list. It still doesn't solve any of the authentication problems with those email addresses.
-Barry
Hien HUYNH HUU wrote:
Again about this issue , Please guide me how to configure Approve Header for email policy ? And I wonder If using Microsoft Outlook or Outlook Express to send mail to list , can user set header for him ?
I am not an Outlook expert by any means, but I don't think Outlook provides a way for a user to set custom headers.
See the FAQ at http://wiki.list.org/x/XIA9, but be aware that if you put the Approved: line in the body of the message, it must be the first line of the first text/plain part of the message. This precludes using the body line method in an HTML only email. It will work in a multipart/alternative message that has a text/plain part, but in that case, removal of the line and password from the non-text/plain alternative parts is on a best effort basis and while generally successful, is not guaranteed.
participants (4)
-
Barry Warsaw -
Conrad Richter -
Hien HUYNH HUU -
Mark Sapiro