[Mailman-Users] Backscatter spam via the "-request" address

Matt Hoskins matt at nipltd.com
Wed Feb 25 10:36:28 CET 2009

Recently I've noticed spammers have started spamming the "-request"
address on a couple of mailing lists I host. I don't know if this is
deliberate or just they've somehow picked up the -request addresses via
address collection mechanisms.

Anyway the result is "The results of your email commands" mails going to
people who never sent a message to the list with a copy of the original
spam attached. From looking at the code I see that newer versions of
mailman than the one I'm running don't include the original message in
the response to help the backscatter problem (so I've hacked the code on
the copy I've got to do the same).

The lists I run aren't open to people subscribing themselves - they have
to be added by the list administrator. To that end there's no need on my
server for the "-request" auto responder to reply to non-members. So to
my mind the following two options on a per-list basis would be useful to

  1) Be able to configure the "-request" auto responder to not reply if
there were no valid commands included in the message (the spammers
aren't spamming with valid commands at the moment)
  2) Be able to configure the "-request" auto responder to not reply to

There may be reasons why both those options are a bad idea or are
unworkable, but I thought I'd punt them out there in case anyone else
found them useful :).


More information about the Mailman-Users mailing list