[Mailman-Developers] list confirm and request addresses acting as open relay
Giuliano Gavazzi
dev+lists at humph.com
Thu Oct 19 01:37:07 CEST 2006
Hello, sorry if this is a dumb observation, but recent spam to the
posting address of on of our lists (fortunately a moderated
distribution-only list) has prompted some test on my part.
I have then noticed that the confirm address (listname-confirm
+... at ...) and the request address (listname-request at ...) act as
mirrors to the alleged envelope sender, sending back the whole email
after the parsed commands.
Until now no spammers have used this, but sooner or later they will.
For the "confirm" case I suppose a solution would be to only reply to
confirm strings that are in the database and only if the envelope
sender IS the one associated to the particular confirm string.
For the "request" case instead the situation is more complex. The
reply should only be generated if the sender is a subscriber to the
list, unless, of course, the subject is "subscribe". If it is a
subscribe though the body of the message does not contain the
original body and the damage is limited. In this "subscribe" case
perhaps a throttling or maximum number or outstanding subscription
requests would be a good idea.
Of course this might be in the latest release but I did not find
mention in the list.
Thank you
Giuliano
More information about the Mailman-Developers
mailing list