[Mailman-Users] list of lists fodder for spammers?

Jon Carnes jonc at nc.rr.com
Sun Jan 26 19:27:03 CET 2003

I recommend that you front-end your mail servers with something like
Spam Assassin.  If you really want to be thorough you can use
Mailscanner with an anti-virus application that runs on Linux. 
Mailscanner will then use the local anti-virus application to scan all
messages for viruses and then pump the remaining messages through a
SpamAssassin filter to look for Spam.

Every place where I've installed SpamAssassin has fallen in love with
it.  It rapidly moves from being something nice to have, to being a
necessity they can't live without.

As for the list names being mined for spam, I've found that the biggest
worry is the web-enabled archives.

Mailman's features can help a little against spam.  You can set your
lists so that they only accept mail from either a list member or from a
user on the local domain. 

Good Luck - Jon Carnes

On Sun, 2003-01-26 at 12:26, Greg Westin wrote:
> Hello Mailman folk,
> I work with a group that provides services to student groups at a 
> university, and we're concerned that a lot of the lists have been 
> picking up spam lately.  The prime suspect, at this point, is Mailman's 
> publishing of list names.  If you can provide any input on how to 
> alleviate this problem, please let me know.  I'm copying below a 
> message (slightly modified) from one of the more knowledgeable people I 
> work with:
> ---
> My real concern with the behavior of the
> listinfo and admin scripts is that they publish the list of lists
> not only when invoked without arguments, but also if invoked on a
> non-existent list name.  Because apache can be configured to reject
> outside of ourdomain.edu or wherever requests for
> "http://lists.ourdomain.edu/mailman/listinfo",
> while still allowing
> "http://lists.ourdomain.edu/mailman/listinfo/hcs-discuss",
> but what if spammers start generating random list names and sending, 
> e.g.,
> "http://lists.ourdomain.edu/mailman/listinfo/sp4m"?  No way to
> stop such attacks except for Mailman to change its behavior (which
> the patched version on lists.ourdomain currently does).
> ---
> The patched version he's referring to simply denies access to 
> /mailman/listinfo (but not to /mailman/listinfo/valid-list-name) to 
> every request not from our domain.  It's an ugly hack, but it's 
> generally fine because students will almost always be working from a 
> university computer, except perhaps when home on vacation.
> Thanks for any help.  Please reply off-list if you're getting this via 
> mailman-developers, as I'm not subscribed to that list.  I am on 
> mailman-users, though.
> Greg Westin
> --
> http://www.gregwestin.com
> Contact info: http://www.gregwestin.com/contact.php
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> This message was sent to: jonc at nc.rr.com
> Unsubscribe or change your options at
> http://mail.python.org/mailman/options/mailman-users/jonc%40nc.rr.com

More information about the Mailman-Users mailing list