[Mailman-Developers] Indirect Spam Vulnerability
Matt Helsley
larva at linux.ucla.edu
Wed Jun 18 19:52:18 EDT 2003
On 18 Jun 2003, Barry Warsaw wrote:
> > Couldn't mailman redirect bounce/moderation notifications in the case
> > where the FROM address is a mailman list and send it to the site/list
> > administrator instead (or maybe drop it completely??)? I think this would
> > avoid spamming the list subscribers while adding a minor load to the
> > administrator's work.
> >
> > Does mailman 2.1.x already do this? If not, would this break something in
> > mailman? Is it unreasonably restrictive on the site/list administrator(s)?
>
> Mailman doesn't do this, and it's not a bad idea. Of course, the best
> you can do is prevent indirect spam within the same Mailman instance.
> Another approach would be to set up a "suspicious header" hold on
> "Message-ID: <mailman." which is always added by the routines that
> Mailman uses to send out mail. IWBNI you could actually configure
> Mailman to drop such messages.
>
> -Barry
Would the hold be activated on the notification arriving at the spoofed
mailing list, or would it be activated on the post to the moderated list?
i.e:
1)
-spam-> moderated at myhost.com -notification-> *HOLD* foo at myhost.com
or would it be:
2)
-spam-> moderated at myhost.com *HOLD* -notification-> foo at myhost.com
I guess part of the issue is which list admin (assuming they are separate
admins) should have to deal with this problem? I'd say you want the
moderated list admin to deal with it because they were the immediate
recipient (their policy should not cause others to suffer :), plus they
may somehow have better information with which to analyze the spam).
OTOH, knowledge of a spammer who intentionally uses this technique to spam
foo at myhost.com may be something the admin of list foo should know
about...
I tend to favor #2 (moderated list admin)
Cheers,
-Matt Helsley
More information about the Mailman-Developers
mailing list