[Mailman-Users] How hard is it to spoof an email?
jimpop at yahoo.com
Sun Jan 29 22:31:07 CET 2006
Jp Possenti wrote:
> How hard would it be for someone to maliciously start sending all the users
> in my list emails or start deleting people from it by sending bounce errors
It's not hard at all. In fact it's quite easy. This is because the raw
archive data is available to the public. See this FAQ:
> or by spoofing the admin email and start emailing everyone on the list?
That's not hard at all either, although you probably shouldn't have your
admin email as a list member. Of course, the spammer could just use any
of your subscribers email addresses including the valid ones that
haven't posted in 4 years (*cough*, *cough*). See the recent "Verifying
> Is this a common problem, or is mailman secure about it? What are some ways
> to help avoid any problems?
Use an MTA that supports DKIM and/or SPF. These standards help to
verify who the sender is. So if bob at aol.com posts to your list, SPF
will verify that the email came from an approved aol.com server, not
something like 188.8.131.52-home.dsl.cox.net. DKIM takes it a step
further and adds an encrypted email header "key" that is carried with
the email during it's entire journey through multiple servers. This key
enables every "hop" to validate the email, whereas SPF is just
point-to-point validation based on email header info (which can very
easily be modified in transit).
> Please explain carefully and with plenty of details as I am still figuring
> things out.
Heck, that should be SOP for everyone. ;-)
More information about the Mailman-Users