[Mailman-Users] How hard is it to spoof an email?

Brad Knowles brad at stop.mail-abuse.org
Mon Jan 30 01:55:23 CET 2006

At 4:31 PM -0500 2006-01-29, Jim Popovitch wrote:

>                                                DKIM takes it a step
>  further and adds an encrypted email header "key" that is carried with
>  the email during it's entire journey through multiple servers.  This key
>  enables every "hop" to validate the email, whereas SPF is just
>  point-to-point validation based on email header info (which can very
>  easily be modified in transit).

	If you're going to use DKIM, make sure that you are using Mailman 
2.1.7 (or later), with the most recent patches applied.  Prior 
versions of Mailman did not scrub the DKIM headers from messages as 
they were passing through, which meant that the signatures would be 
invalid for the recipients of the mailing lists.  This was fixed in 
2.1.7, but this version also introduced some other issues with 
archives (among others), which have since been patched by Tokio and 

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Mailman-Users mailing list