[Mailman-Users] SPAM relayed mail through Mailman.

Mark Sapiro msapiro at value.net
Mon May 16 02:23:32 CEST 2005

Colorado Tech Support wrote:

>Hi, I'm pretty new to this, but I've got a  problem.
>Last night, a SPAMer was able to relay 250 mail messages through my 
>server and I can't figure out how they did it.
>Here's my configuration:
>Fedora Core 2 - kernel-2.6.10-1.771_FC2
>apache - httpd-2.0.51-2.9
>Here's what I know...
>My sendmail is configured in a way to only allow relaying from IP 
>addresses within my network (the 192.168.blah.blah range).
>I believe this is configured correctly because I get "RELAYING DENIED" 
>messages all the time from SPAMers trying to relay through my server.
>The only reason I know about the attempt is because I received over 100 
>bounced messages to "mailman-ower at mydomain.com" from the target of the 
>The bounced messages all contained the original message (which came from 
>mailman-owner at mydomain.com).

How do you know that Mailman was even involved in sending the original
spam? Perhaps the mailman-owner address was just spoofed. Mailman
generally sends messages with Sender:, Errors-To: and envelope sender
of <somelistname>-bounces so that bounces go there, not directly to

What do the full headers of one of these bounced messages look like?

>My /etc/log/maillog file shows all 250 sendmails being relayed (here's 
>just one):
>maillog:May 14 21:02:52 nameofmyserver sendmail[14830]: j4F32px8014830: 
>from=<popcap-route at enki.popcap.com>, size=2408, class=0, nrcpts=1, 
>msgid=<courier.4286BBD9.000052C9 at enki.popcap.com>, bodytype=7BIT, 
>proto=ESMTP, daemon=MTA, relay=mail.popcap.com []

What in here indicates any Mailman involvement?

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list