[Mailman-Users] What is the best way to avoid fake senders?

Δημήτριος Καραπιπέρης dimkar at thessaloniki.gr
Sat Apr 3 07:57:26 CEST 2010

O/H Mark Sapiro έγραψε:
> On 4/1/2010 10:35 PM, Δημήτριος Καραπιπέρης wrote:
>> I am investigating ways how to avoid any fake senders trying to get
>> through and approach my recipients.
>> I concluded the following
>> a) use envelope_sender to figure out the sender
> If you're thinking of the mm_cfg.py setting USE_ENVELOPE_SENDER = Yes,
> it probably doesn't do what you think. It controls the search order for
> the Mailman.Message.Message.get_sender() method. If USE_ENVELOPE_SENDER
> = No, the order is From: header, Sender: header, envelope sender, and if
> USE_ENVELOPE_SENDER = Yes, the order is Sender: header, From: header,
> envelope sender.
> In the case of most spam messages, there will be no Sender: header, so
> get_sender() will return the address in the From: header regardless of
> the USE_ENVELOPE_SENDER setting.
> However, the main thing is that the get_sender() method is not what is
> used to determine if a post is from a list member. It is used to
> determine the sender to match against *_these_nonmembers, but only after
> the post is determined to be not from a member.
> Determining if a post is from a list member is done by calling the
> Mailman.Message.Message.get_senders() method (note get_senders, not
> get_sender) and checking each address in the returned list until either
> a member address is found or the list is exhausted. The addresses
> returned by get_senders() are controled by the setting of SENDER_HEADERS
> which defaults to ('from', None, 'reply-to', 'sender') which means
> return the addresses from (in this order)
>  the From: header
>  the envelope sender
>  the Reply-To: header
>  the Sender: header.
> If any of those is a list member, the post is determined to be from that
> member. Thus, if you want only to test the envelope sender for list
> membership, you would need to put
> in mm_cfg.py, but even this may not help, as spammers spoof envelope
> senders too. Also, it makes it difficult for list members to post from
> alternate addresses by including Reply-To: their member address.
>> b) moderate all posts
> Is this a discussion list or a one-way, announce type list? If it's an
> announce type list, moderate everyone and post using an Approved:
> header. See the FAQ at <http://wiki.list.org/x/3YA9> for more detail.
> If this is a discussion list and spammers are spoofing member addresses
> in order to post, there's not much you can do in Mailman. Moderating
> everyone works, but it is a burden for moderators. The best approach is
> to have effective spam filtering ahead of Mailman.

Thanks Mark.
This reply will help a lot of people.

Are there any other ways including maybe the MTA (eg. Postfix) or other 
techniques such as client certificates that can add an extra layer of 
security against fake senders, who
are not only spammers but also malicious users.


More information about the Mailman-Users mailing list