[Mailman-Users] spam issue

Mark Sapiro mark at msapiro.net
Wed Apr 16 02:42:57 CEST 2008

Luke Daly wrote:

>I have a large list (22000) users. it is configured with the following settings :
>Action to take when a moderated member posts to the list. = Discard
>Action to take for postings from non-members for which no explicit action is defined. = Discard
>All users are moderated except where they are an administrator or moderator.

This is the problem. Did you see Brad's reply at
to your previous post.

This is not a secure way to set up an announcement list. Anyone can
send a post to the list spoofing the From: as one of the
admin/moderator addresses. This might even happen accidentally with
spam sent to a list spoofing the From: and just by chance hitting one
of the unmoderated addresses.

The secure way to handle posting to an announce list is to moderate
everyone. Then if you want to discard or reject posts from members,
you post from non-member addresses which you add to
hold_these_nonmembers, and then have an admin/moderator approve the
held post.

Alternatively, if you want to be able to post without the post being
held, the authorized posters need to know the list moderator password.
They then put the header

Approved: password

where 'password' is the list admin or moderator password either as an
actual header in the post or as the first line of the first plain text
part of the posted message. This is discussed in Brad's reply and in
which he referred to and also in

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list