[Mailman-Users] Are there any known exploits in 2.1.5 re requestemail address and spamming?

Mark Sapiro mark at msapiro.net
Sat Sep 20 21:53:03 CEST 2008

Martin J. Evans wrote:

>I've inherited a 2.1.5 mailman. In the last few days we've been 
>blacklisted by a  number of major sites. On further investigation it 
>looks like our mailman has been compromised in some way. Emails to the 
>request address are somehow being used to send spam. There are literally 
>thousands of them. I've stopped the list for now. Obviously 2.1.5 is way 
>out of date but I've looked at the changes since then and cannot see 
>something which looks like this issue although a search for mailman 
>request exploit brings up a number of entries which are not very 
>detailed. Does anyone know of an exploit in 2.1.5 which allows spam to 
>be sent via mailman in 2.1.5?

If I understand correctly what you are saying, spam is being sent to
the list-request address with a From: header containing an innocent
3rd party address. The response from Mailman, which contains the
original message, is sent to the innocent 3rd party.

Current Mailman through 2.1.11 will behave the same. These issues will
be addressed in 2.2.

In the mean time, the best solution is effective spam filtering ahead
of Mailman. Barring that, you can disable the -request and perhaps
other support addresses and force everyone to use the web for
subscribing, confirming, etc.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list