[Mailman-Developers] Possible spam attack against MM lists

Nigel Metheringham Nigel.Metheringham at dev.intechnology.co.uk
Wed Sep 1 16:55:47 CEST 2004


On Wed, 2004-09-01 at 10:41 -0400, J C Lawrence wrote:
> On Wed, 01 Sep 2004 11:16:05 +0100 
> Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk> wrote:
> 
> > There has always been a stream of attempted SPAM to the lists I host,
> > and to date, touch wood, its been caught by MTA address checking and
> > MM member only post checking.
> 
> > I seem now to be getting posts to the list forged from addresses of
> > list members (or in one case a list itself).  The rejection of these
> > so far has been pretty much by sheer luck (they failed the content
> > policy checks).
> 
> > Are other people seeing this?
> 
> Yup, to the tune of several score per day per list, tho I don't
> distinguish between SPAM and virus mail in this regard.

OK, maybe I have been lucky.  Although getting the member list other
than by archive trawling isn't possible - EU data protection laws mean
that I routinely not only block list roster access but remove the
appropriate fragments from the list info pages.

> I use TMDA as a C/R system in front of all my lists and then remove all
> posting controls on the lists at the Mailman level.  Given that the
> majority of list members never even try to post, this has been proven a
> particularly effective control.

I am wondering about switching to the Mailman members initially
moderated policy, although I don't really want to increase the load on
the moderators.

Since in this case (which may be isolated or co-incidental) the address
forged as the sender address is a frequent list poster, using TMDA would
not seem to add much.  

What might add something would be an option where posters get a response
back on postings similar to the current message held for moderation
where they have a choice of actions - post or cancel at a minimum.

>   I also put mimefilter (a MIME stripper)
> in front of the lists to remove dangerous payloads, and then auto-junk
> messages which end up too short (this doesn't catch much, but just
> enough to glad of).  In 3 years of using this system or earlier variants
> of it I've had only 12 spam make it through the system.  Not ideal, but
> certainly a tolerable rate.

Its recently been requested that we start allowing some MIME parts
through - especially PGP signature types and patch files.  Loosening the
current paranoid content posting policy (which is actually there because
historically pipermail didn't MIME and I want the archives to be sane)
is going to open the cracks wider and allow some slime to lever things
open further...

	Nigel.

-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]




More information about the Mailman-Developers mailing list