[Mailman-Users] Challenge/Response
Stephen J. Turnbull
stephen at xemacs.org
Sat Feb 10 14:55:21 CET 2007
Bob Morse writes:
> The problem remains, however: How do I prevent spoofing? In this case they
> have a real fear due to a board member who is soon to be ejected from the
> board and have organizational membership taken away. They feel he is capable
> (both emotionally and technically) of major disturbances on one or more of
> about a dozen mailing lists the organization maintains.
Wouldn't moderating non-members and requiring admin approval for
subscriptions be enough? Or is he capable of spoofing a member's From
address?
If not, I've been there (the problem wasn't a board member, more like
a stalker). However challenge/response wouldn't help anyway, because
it's easy enough to set up an autoresponder for typical C/R systems.
If not, and he's determined, he'll just do the C/R dance by hand.
What we ended up with was blacklisting the guy's known accounts,
hosts, and IP addresses, which caught most of the shrapnel, and human
moderation for about a month. He gave up after two weeks of zero
success in several hundred attempts to subscribe or otherwise get past
the filters. Had he come back they were prepared to cross-check IP
addresses from the Received headers against From addresses for the
regular posters. Don't know if he would have been capable of getting
around that (spoofing both From and Received is easy enough if you
know what you're doing), fortunately we didn't have to go to those
extremes. Here's hoping you don't have to, either.
More information about the Mailman-Users
mailing list