[Mailman-Developers] Virus sent to lists "from" my domain - add password for moderated users

John W. Baxter jwblist at olympus.net
Wed Mar 17 00:39:49 EST 2004


On 3/15/2004 11:11, "Chuq Von Rospach" <chuqui at plaidworks.com> wrote:

> and I don't have a good answer for that, not at all. not sure how to
> close that hole offhand. we made it easy to figure out it IS a list, we
> show an address that the virus can tell has posting privs -- and we do
> no validation that it's actually coming from that address. ugh)

I muttered here a couple of years ago about digital signing of messages
which come from a non-moderated sender.  I know it introduces non-trivial
problems.

I don't think the viruses manage SMTP AUTH yet (these days, they're intent
on using their own SMTP servers and forging senders, so the needed
authenticator probably isn't available on the machine they've
infected...that could change)...one could certainly [try to] force mail to
come that way.

Here, incoming mail goes through our virus scan before getting farmed out to
the mailing list machine.  So far, that seems to have done its job.  (We're
weak on the spam side for the lists, but basically strong enough so
far--almost all the few spam incidents have been moderators making errors.)

  --John



More information about the Mailman-Developers mailing list