[Mailman-Users] Help stopping Virus sent to lists "from" my domain

John W. Baxter jwblist at olympus.net
Thu Mar 11 20:34:56 CET 2004 

On 3/11/2004 10:32, "Jerold Stratton" <jerry at sandiego.edu> wrote:

> On Thursday, March 11, 2004, at 09:50  AM, ted wrote:
>> I just posted a bug ticket for this problem.  You are the 3rd or 4th
>> person, including me, to have reported this to mailman-users
>> recently.  The bug ticket is here:
>> http://sourceforge.net/tracker/?group_id=103&atid=100103
>> 
>> Please add your comments to the item so the developers take this
>> seriously.  If you don't have a SourceForge account, you can create one
>> here:  http://sourceforge.net/account/register.php
>> 
> 
> I've been having this problem also, but while I'm sure the developers
> are taking it seriously, I'm not sure what they can do. E-mail has only
> one means of determining who something is from: the envelope from.
> 
> They could match the envelope to the from: line, but that's hardly a
> fix. The from: line is just as easy to forge as the envelope.
> 
> The only way I can see of them "fixing" it is to disallow any
> non-moderated users or administrators. They could force all messages,
> even from list admins, to be moderated. I don't see that going over
> very well.

Any address which is automatically allowed to post is an opening for forged
posts.  I suggested a couple of years ago in the developers list that
consideration be given to creating an option in which situations like this
are handled by digitally signing the messages from the blessed senders, and
having Mailman check the signatures and reject unsigned and non-verifying
messages.  Doing this is decidedly non-trivial, and doing the signing may be
beyond some blessed senders' email abilities.

At the MTA level, one could specifically reject messages to the list posting
address which have the right envelope sender but don't come from the "right"
place(s) for that particular sender.

But it's probably easier to have the blessed senders moderated, unless
there's a high volume of posting by them.  (In many cases, if you can trust
them to post, you can trust them to moderate, now that Mailman as the
moderator level of access to the list.  So they can pass their own messages
through moderation.)

  --John

More information about the Mailman-Users mailing list