On 4/5/19 10:59 AM, Valentin Schwarze via Mailman-Users wrote:

I am the administrator of some mailman lists of the student self-administration of our university. We happend to have some spam issues on our mailman lists. These spammers were able to send emails on our lists through mail spoofing (only faking the From: field in the header is sufficient to get accepted). With a faked sender email adress, which was in accept_these_nonmembers of the list, they were to send spam mails on the lists.

Are there any settings that we as administrators of the list could change to end that behavior? For example, is it possible in any way, that Mailman only accepts emails that passed a SPF check? Or any other option to prevent email with forged sender adresses to be distributed through the mailman list?

These kinds of tests are better implemented in the incoming MTA before the mail ever gets to Mailman.

Mailman itself, without code modification or implementation of a custom handler (see <https://wiki.list.org/x/4030615>), has no way to check things like SPF.

You can use Privacy options... -> Spam filters -> header_filter_rules to take various actions based on regexp matches against message headers. This can be useful if you can identify things that separate the spam from the ham. Also, if you want to do certain tests in the MTA, but not reject the mail at SMTP time, you can have the MTA add a header which is checked by header_filter_rules.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

On 4/5/19 11:59 AM, Valentin Schwarze via Mailman-Users wrote:

Are there any settings that we as administrators of the list could change to end that behavior? For example, is it possible in any way, that Mailman only accepts emails that passed a SPF check? Or any other option to prevent email with forged sender adresses to be distributed through the mailman list?

As Mark and Carl have stated, you are better off implementing email hygiene in your MTA and only passing clean messages to Mailman.

Note: SPF by itself won't do anything to protect against From: header spoofing. I would suggest that you also look into DKIM and particularly DMARC filtering.

-- Grant. . . . unix || die

Valentin Schwarze via Mailman-Users writes:

I am the administrator of some mailman lists of the student self-administration of our university. We happend to have some spam issues on our mailman lists. These spammers were able to send emails on our lists through mail spoofing (only faking the From: field in the header is sufficient to get accepted). With a faked sender email adress, which was in accept_these_nonmembers of the list, they were to send spam mails on the lists.

It is helpful if you tell us more about the mail flows you *want* to go to the lists. For example, perhaps these addresses are in accept_these_nonmembers because the lists are one-way, going from a small number of allowed posters (eg, committee chairpersons) to the subscribers (eg, committee members). In that case it would be possible to give the allowed posters a password, which is included a line of the form "Approved: PASSWORD", either in the message header, or as the very first line of the message, which Mailman will remove before distributing. (The message header method is preferred, because many clients produce HTML which makes it unreliable to remove the Approved line. This isn't a problem in the header. But many users may not know how to add such a line to their header.) This method can be very effective, depending on the list configutation and the sophistication of the allowed posters.

If the list configuration is different, there may be other ways. The only generic way to prevent spam is full-on content and source filtering based on known features of spam and known spam sources. Host-based authentication (SPF and DKIM) may be a solution depending on your users' habits, but as others have pointed out, these are best done in the MTA before passing the post to Mailman.

Steve