[Mailman-Users] How hard is it to spoof an email?

JC Dill lists05 at equinephotoart.com
Sun Jan 29 21:15:56 CET 2006 

Jp Possenti wrote:
> I have a couple of questions regarding that FAQ link:
> 
> 1. Setting the max_num_recipients to 1 will mean that any time I make a
> newsletter to the public, I need to login and approve that request, correct?

The number of "recipients" is the number of addresses in the email you 
compose.  When you sent this message (that I'm replying to), you 
addressed it to mailman-users at python.org which is just ONE recipient. 
(To the mailman server, this message had only one recipient.)  If you 
had sent this message to mailman-users at python.org and also to the author 
of the message you were replying to (via To or CC), then to the mailman 
server this message would have had two recipients.

The max_num setting is used to help prevent users from sending messages 
addressed "to" (or "cc") many different addresses in a single message. 
In most case such messages are not messages you want distributed to your 
list.  This setting is usually used for discussion lists and the default 
is left alone for announcement lists because you control who and how the 
posts go to your list by using moderation and approved passwords, rather 
than by limiting the number of recipients in the initial email.

> I am just confused about the wording of the command. Does that mean that the
> message will go through but just to 1 person in the list and the other say
> 499 people will not receive it?

No, it does not do that and there is no setting to do that.

> 2.  For setting everyone's moderation bit on, I can figure that out as it's
> an option under General -> Additional settings. But for the second part
> regarding posting using an approved:header I don't see that option anywhere.
> How would this work?

I just updated the announcement list FAQ:

<http://www.python.org/cgi-bin/faqw-mm.py?query=approved+header&querytype=simple&casefold=yes&req=search>

to include:


   The approved header or first line has the following format:

        Approved: <password>

   If you are using this on the first line of your post, follow it
   with a blank line.  Mailman will recognize it as the "header" and
   remove it from the body. Follow it with a blank line because the
   line following the Approved: line is removed too (in Mailman 2.1.4
   anyway).


I don't know how HTML formatting and other email client oddities may 
affect using the approved header in the first line of your post so I 
can't be certain that this will work perfectly for you on your first 
try.  I've seen it happen where someone got confused, didn't use the 
approved header as a first line correctly, then approved the message 
using the web interface only to discover their message distributed to 
the whole list with the password included in the message.  So it's 
usually a good idea to use a test list with 2 or 3 subscribers and 
practice using the "first line of your post" approved password system a 
few times so you can be sure that it works as you expect before you try 
to use it on a large distribution list.

jc

More information about the Mailman-Users mailing list