[Mailman-Users] How hard is it to spoof an email?
brad at stop.mail-abuse.org
Mon Jan 30 01:39:04 CET 2006
At 1:56 PM -0500 2006-01-29, Jp Possenti wrote:
> How hard would it be for someone to maliciously start sending all the users
> in my list emails or start deleting people from it by sending bounce errors
> or by spoofing the admin email and start emailing everyone on the list?
It's trivially easy to spoof e-mail addresses. Mailman works
around that by allowing you to configure your list to be more secure
and require confirmations for certain commands, or by sending its own
confirmation e-mail once an action has taken place.
The attacker may be able to spoof your e-mail address, but unless
they can also access your mailbox, they can't see the unique
confirmation string that they have to duplicate before the system
will take the action in question, or to delete the notice that
Mailman sends to the recipient.
> Is this a common problem, or is mailman secure about it? What are some ways
> to help avoid any problems?
It all depends on how secure you want your list to be. Part of
the problem is that the more security features of this sort that you
turn on, the more cumbersome it will be for people to post or
subscribe to the list, change their address once subscribed, etc....
You want to strike a balance here between securing your system
against spoofing and making it too difficult to use.
> Please explain carefully and with plenty of details as I am still figuring
> things out.
I'm not sure how much more I can explain, or precisely which part
it is that you're most concerned about.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users