[Mailman-Developers] list confirm and request addresses acting as open relay

[Giuliano Gavazzi]

Hello, sorry if this is a dumb observation, but recent spam to the  
posting address of on of our lists (fortunately a moderated  
distribution-only list) has prompted some test on my part.
I have then noticed that the confirm address (listname-confirm 
+... at ...) and the request address (listname-request at ...) act as  
mirrors to the alleged envelope sender, sending back the whole email  
after the parsed commands.
Until now no spammers have used this, but sooner or later they will.

For the "confirm" case I suppose a solution would be to only reply to  
confirm strings that are in the database and only if the envelope  
sender IS the one associated to the particular confirm string.
For the "request" case instead the situation is more complex. The  
reply should only be generated if the sender is a subscriber to the  
list, unless, of course, the subject is "subscribe". If it is a  
subscribe though the body of the message does not contain the  
original body and the damage is limited. In this "subscribe" case  
perhaps a throttling or maximum number or outstanding subscription  
requests would be a good idea.
Of course this might be in the latest release but I did not find  
mention in the list.

Thank you

Giuliano