[Mailman-Users] Preventing spam to list owners

[Brad Knowles]

On 9/30/07, Robert Braver wrote:

>  Wholesale bouncing of list mail to non-subscribers is totally
>  unacceptable due to the amount of outscatter this will cause. (see
>  http://en.wikipedia.org/wiki/Backscatter#Backscatter_of_email_spam )

Mailman is pretty resistant to generating backscatter.  Yes, if 
configured to do so, it will generate it.  But it keeps track of how 
often it has responded to a given address in a given period of time, 
and won't respond more than a set number of times in a day to a given 
address.  This effectively limits the ability to abuse Mailman as a 
backscatter amplifier for a DDoS attack.

However, in some cases, even just a single instance of backscatter 
can get you put on a blacklist.  So, you've got to weigh the relative 
evils of not responding at all to a potential legitimate message from 
a real human being, or generating potential backscatter.

>  It only took one list member from one of the smaller lists (which is
>  private and not listed anywhere) who had their address book
>  harvested by a trojan to cause about 50 spam emails a day to that
>  list alone on an ongoing basis... so hiding the list addresses
>  doesn't guarantee that they won't eventually leak out and get on the
>  spam lists.

Security through obscurity never works.  Ultimately, you always get 
found out.  Usually, that ends up happening sooner rather than later. 
However, keeping lists private as part of a larger security scheme 
can be effective -- just make sure that keeping the list private 
isn't your only method of security.

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>