[Mailman-Users] How hard is it to spoof an email?
jp at pifiu.com
Sun Jan 29 22:50:00 CET 2006
So basically what you are saying is that Mailman is very insecure? (in
You say I should not have my admin email as a list member. By that you mean
"listname at domain.com" which is the default address as the admin?
If so then what am I supposed to create, and why would creating one make a
Also which email clients support the KIM and/or SPF standards?
From: Jim Popovitch [mailto:jimpop at yahoo.com]
Sent: Sunday, January 29, 2006 4:31 PM
To: jp at pifiu.com
Cc: mailman-users at python.org
Subject: Re: [Mailman-Users] How hard is it to spoof an email?
Jp Possenti wrote:
> How hard would it be for someone to maliciously start sending all the
> in my list emails or start deleting people from it by sending bounce
It's not hard at all. In fact it's quite easy. This is because the raw
archive data is available to the public. See this FAQ:
> or by spoofing the admin email and start emailing everyone on the list?
That's not hard at all either, although you probably shouldn't have your
admin email as a list member. Of course, the spammer could just use any
of your subscribers email addresses including the valid ones that
haven't posted in 4 years (*cough*, *cough*). See the recent "Verifying
> Is this a common problem, or is mailman secure about it? What are some
> to help avoid any problems?
Use an MTA that supports DKIM and/or SPF. These standards help to
verify who the sender is. So if bob at aol.com posts to your list, SPF
will verify that the email came from an approved aol.com server, not
something like 18.104.22.168-home.dsl.cox.net. DKIM takes it a step
further and adds an encrypted email header "key" that is carried with
the email during it's entire journey through multiple servers. This key
enables every "hop" to validate the email, whereas SPF is just
point-to-point validation based on email header info (which can very
easily be modified in transit).
> Please explain carefully and with plenty of details as I am still figuring
> things out.
Heck, that should be SOP for everyone. ;-)
More information about the Mailman-Users