[Mailman-Developers] Possible spam attack against MM lists

J C Lawrence claw at kanga.nu
Wed Sep 1 17:22:59 CEST 2004


On Wed, 01 Sep 2004 15:55:47 +0100 
Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk> wrote:
> On Wed, 2004-09-01 at 10:41 -0400, J C Lawrence wrote:
>> On Wed, 01 Sep 2004 11:16:05 +0100 Nigel Metheringham
>> <Nigel.Metheringham at dev.intechnology.co.uk> wrote:

>> I use TMDA as a C/R system in front of all my lists and then remove
>> all posting controls on the lists at the Mailman level.  Given that
>> the majority of list members never even try to post, this has been
>> proven a particularly effective control.

> I am wondering about switching to the Mailman members initially
> moderated policy, although I don't really want to increase the load on
> the moderators.

Quite.  I implemented the TMDA system for my lists initially just to get
the SPAM load off me as moderator.  There's quite a relief in running a
fully moderated list and getting single digit SPAM at the moderation
interface per year.

> Since in this case (which may be isolated or co-incidental) the
> address forged as the sender address is a frequent list poster, using
> TMDA would not seem to add much.

TMDA uses the envelope sender rather than the From: address, which
successfully traps most forged spam/virus mail.

> What might add something would be an option where posters get a
> response back on postings similar to the current message held for
> moderation where they have a choice of actions - post or cancel at a
> minimum.

Yup, and in fact TMDA can be setup to do precisely this: just configure
it to not add confirmants to the whitelist and reword the confirm
request message to read as a posting check.

>> I also put mimefilter (a MIME stripper) in front of the lists to
>> remove dangerous payloads, and then auto-junk messages which end up
>> too short (this doesn't catch much, but just enough to glad of).  In
>> 3 years of using this system or earlier variants of it I've had only
>> 12 spam make it through the system.  Not ideal, but certainly a
>> tolerable rate.

> Its recently been requested that we start allowing some MIME parts
> through - especially PGP signature types and patch files.  

This is precisely why I use mimefilter instead of demine: it can be
configured to leave specific MIME types untouched.  I also wrapped
mimefilter in a procmail recipe that skips the mimefilter step if a
special X-header is present.  In this way some MIME types can always get
through, and individual members can special case specific messages to
get a particular MIME construct onto the list.  So far it has worked
perfectly.

> Loosening the current paranoid content posting policy (which is
> actually there because historically pipermail didn't MIME and I want
> the archives to be sane) is going to open the cracks wider and allow
> some slime to lever things open further...

Yeah, that's always the problem.  As I keep telling a few people at
work:

  Security (and accounting for that matter) is all about making sure
  that people don't do things.  Doing our jobs done is all about
  actually doing things...

-- 
J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas.
claw at kanga.nu               He lived as a devil, eh?
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.


More information about the Mailman-Developers mailing list