[Mailman-Users] How hard is it to spoof an email?

[Jim Popovitch]

Jp Possenti wrote:
> How hard would it be for someone to maliciously start sending all the users
> in my list emails or start deleting people from it by sending bounce errors

It's not hard at all.  In fact it's quite easy.  This is because the raw 
archive data is available to the public.  See this FAQ: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.066.htp

> or by spoofing the admin email and start emailing everyone on the list?

That's not hard at all either, although you probably shouldn't have your 
admin email as a list member.  Of course, the spammer could just use any 
of your subscribers email addresses including the valid ones that 
haven't posted in 4 years (*cough*, *cough*).  See the recent "Verifying 
posts" thread.

> Is this a common problem, or is mailman secure about it? What are some ways
> to help avoid any problems?

Use an MTA that supports DKIM and/or SPF.  These standards help to 
verify who the sender is.  So if bob at aol.com posts to your list, SPF 
will verify that the email came from an approved aol.com server, not 
something like 24.16.8.101-home.dsl.cox.net.  DKIM takes it a step 
further and adds an encrypted email header "key" that is carried with 
the email during it's entire journey through multiple servers.  This key 
enables every "hop" to validate the email, whereas SPF is just 
point-to-point validation based on email header info (which can very 
easily be modified in transit).

> Please explain carefully and with plenty of details as I am still figuring
> things out.

Heck, that should be SOP for everyone.  ;-)

-Jim P.