[Mailman-Developers] Possible spam attack against MM lists
Nigel Metheringham
Nigel.Metheringham at dev.intechnology.co.uk
Wed Sep 1 16:55:47 CEST 2004
On Wed, 2004-09-01 at 10:41 -0400, J C Lawrence wrote:
> On Wed, 01 Sep 2004 11:16:05 +0100
> Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk> wrote:
>
> > There has always been a stream of attempted SPAM to the lists I host,
> > and to date, touch wood, its been caught by MTA address checking and
> > MM member only post checking.
>
> > I seem now to be getting posts to the list forged from addresses of
> > list members (or in one case a list itself). The rejection of these
> > so far has been pretty much by sheer luck (they failed the content
> > policy checks).
>
> > Are other people seeing this?
>
> Yup, to the tune of several score per day per list, tho I don't
> distinguish between SPAM and virus mail in this regard.
OK, maybe I have been lucky. Although getting the member list other
than by archive trawling isn't possible - EU data protection laws mean
that I routinely not only block list roster access but remove the
appropriate fragments from the list info pages.
> I use TMDA as a C/R system in front of all my lists and then remove all
> posting controls on the lists at the Mailman level. Given that the
> majority of list members never even try to post, this has been proven a
> particularly effective control.
I am wondering about switching to the Mailman members initially
moderated policy, although I don't really want to increase the load on
the moderators.
Since in this case (which may be isolated or co-incidental) the address
forged as the sender address is a frequent list poster, using TMDA would
not seem to add much.
What might add something would be an option where posters get a response
back on postings similar to the current message held for moderation
where they have a choice of actions - post or cancel at a minimum.
> I also put mimefilter (a MIME stripper)
> in front of the lists to remove dangerous payloads, and then auto-junk
> messages which end up too short (this doesn't catch much, but just
> enough to glad of). In 3 years of using this system or earlier variants
> of it I've had only 12 spam make it through the system. Not ideal, but
> certainly a tolerable rate.
Its recently been requested that we start allowing some MIME parts
through - especially PGP signature types and patch files. Loosening the
current paranoid content posting policy (which is actually there because
historically pipermail didn't MIME and I want the archives to be sane)
is going to open the cracks wider and allow some slime to lever things
open further...
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
More information about the Mailman-Developers
mailing list