[Mailman-Developers] Possible spam attack against MM lists

[J C Lawrence]

On Thu, 02 Sep 2004 14:30:19 +0900 
Stephen J Turnbull <stephen at xemacs.org> wrote:

>> I use TMDA as a C/R system in front of all my lists and then remove
>> all posting controls on the lists at the Mailman level.  Given that
>> the majority of list members never even try to post, this has been
>> proven a particularly effective control.

> Since the majority of spam uses faked addresses all around, except on
> the envelope, I can see why.  

Yup.

> I'm afraid you may be in for a nasty surprise in the near future (at
> least if you run open-subscribe lists, even with confirmation) as I've
> witnessed two recent incidents where the spammer subscribed to a
> members-only-post list, then spammed.  

Given the ubiquity of Mailman it is only a matter of time.  Turing tests
are a bitch.

> Since the confirmation for the subscription requires a valid address,
> the TMDA challenge would go there, too!

There's a minor detail of the envelope continuing to agree with the
From: which can hurt there, but that's a detail.

-- 
J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas.
claw at kanga.nu               He lived as a devil, eh?
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.