[Mailman-Users] Spam to "-request" address generating backscatter spam

Edward Hasbrouck edward at hasbrouck.org
Mon Dec 12 18:07:46 EST 2016

My mail server has been blacklisted by several major e-mail providers 
because of backscatter spam generated by my Mailman installation:

(1) Spammers harvest the "listname-request at domain.com" address from a  
public Web page (presumably the Mailman admin page).

(2) Spam with forged "From:" headers is sent to 
"listname-request at domain.com".

(3) Mailman sends "subscribe confirmation" messages to the addressees in 
the forged "From" fields.

How can I stop this? I am willing to give up "subscribe to this list by 
e-mail", and require all subscriptions to be via the Web. 

I used to use, and manage, mailing lists that handled all subscribe and 
unsubscribe requests by e-mail. But now almost all genuine subscription 
requests to my lists are made through the Web interface.

(I also used to run e-mail auto-responders, for example to send an FAQ in 
response to any e-mail message sent to a special e-mail address. I have 
stopped them all, for similar reasons -- they were attracting spam with 
forged "from" addresses, thus generating spam to those "from" addresses.)

I have found several discussions of variants of this issue on this list, 
going back at least 10 years. But so far as I can tell, there is not yet a 
simple option in the Web admin (or a config file) for each Mailman list, 
"Accept subscription requests by e-mail? Yes/No".

I understand that this may take time to implement, but this problem has 
been known for a very long time. I would like to see this put on the 
feature request list, however that is done. In the meantime, I need a 
workaround if I am to continue using Mailman at all. 

I would still prefer to have e-mail confirmation of new subscriptions, but 
I don't think that would cause as much of a backscatter problem: The 
"-request" address can be harvested form the public Web, but the 
"-confirm" address would be much less likely to do so.

But if it is simpler to implement, it would be OK to require new 
subscriptions to be confirmed through the Web interface.

Temporarily, I have completely disabled the list that was attracting spam 
to its "-request" address.  This isn't a viable long-term option.

Is there any workaround, either through the Web interface or by editing 
Mailman configuration files, to disable the "-request" address or cause 
all mail to that address to be dropped without generating a reply?

FWIW, I am using Mailman through Plesk, which offers it as an option. 
Plesk knows that "-request" is already in use by Mailman, and won't let me 
create that address or alias or manage it except through Mailman.

Thanks in advance for any advice you can offer,

Edward Hasbrouck


Edward Hasbrouck
<edward at hasbrouck.org>

"The Practical Nomad: How to Travel Around the World" (5th ed., 2011)

Consultant to The Identity Project:

GnuPG/PGP public key:
0B0B 8F74 CEA3 83AB 97B3 F6AF BB7E F636 165C 22F5

More information about the Mailman-Users mailing list