[Mailman-Users] What is the best way to avoid fake senders?

Mark Sapiro mark at msapiro.net
Fri Apr 2 20:38:47 CEST 2010

On 4/1/2010 10:35 PM, Δημήτριος Καραπιπέρης wrote:
> I am investigating ways how to avoid any fake senders trying to get
> through and approach my recipients.
> I concluded the following
> a) use envelope_sender to figure out the sender

If you're thinking of the mm_cfg.py setting USE_ENVELOPE_SENDER = Yes,
it probably doesn't do what you think. It controls the search order for
the Mailman.Message.Message.get_sender() method. If USE_ENVELOPE_SENDER
= No, the order is From: header, Sender: header, envelope sender, and if
USE_ENVELOPE_SENDER = Yes, the order is Sender: header, From: header,
envelope sender.

In the case of most spam messages, there will be no Sender: header, so
get_sender() will return the address in the From: header regardless of

However, the main thing is that the get_sender() method is not what is
used to determine if a post is from a list member. It is used to
determine the sender to match against *_these_nonmembers, but only after
the post is determined to be not from a member.

Determining if a post is from a list member is done by calling the
Mailman.Message.Message.get_senders() method (note get_senders, not
get_sender) and checking each address in the returned list until either
a member address is found or the list is exhausted. The addresses
returned by get_senders() are controled by the setting of SENDER_HEADERS
which defaults to ('from', None, 'reply-to', 'sender') which means
return the addresses from (in this order)
 the From: header
 the envelope sender
 the Reply-To: header
 the Sender: header.
If any of those is a list member, the post is determined to be from that
member. Thus, if you want only to test the envelope sender for list
membership, you would need to put


in mm_cfg.py, but even this may not help, as spammers spoof envelope
senders too. Also, it makes it difficult for list members to post from
alternate addresses by including Reply-To: their member address.

> b) moderate all posts

Is this a discussion list or a one-way, announce type list? If it's an
announce type list, moderate everyone and post using an Approved:
header. See the FAQ at <http://wiki.list.org/x/3YA9> for more detail.

If this is a discussion list and spammers are spoofing member addresses
in order to post, there's not much you can do in Mailman. Moderating
everyone works, but it is a burden for moderators. The best approach is
to have effective spam filtering ahead of Mailman.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list