[Mailman-Users] How do the spammers do it?
Christophe Meessen
christophe at meessen.net
Mon May 16 14:37:53 CEST 2005
Brad Knowles wrote:
...
> If the signature is automatically generated by the MUA, then the
> trojans/spybots can make use of this and still get through. The only
> way you can make this work is if you require actual human intervention
> on the part of the sender,
That's true and is also the normal working model for signed messages.
> and that would probably also require human intervention on the part of
> the mailing list administrator -- for each and every message.
That's not true. A mail signature is basically a hash value encrypted
with a secret key. The public key, which is always passed along with the
hash value, allows to decode the hash value and check the mail
integrity. So you simply need to save the user public key, that you
receive with the signed subscription confirmation mail, with the other
user info.
Whenever this user sends a signed mail to the list you use his public
key to decode the hash value and check the mail integrity. If it's valid
you may forward it to the list. The signature can be removed if desired.
This would protect the list from forged mails.
For lists that don't require subscription, there is no way to make a
difference with spammers and normal users.
More information about the Mailman-Users
mailing list