[Mailman-Users] Spam to "-request" address generating backscatter spam
edward at hasbrouck.org
Mon Dec 12 18:07:46 EST 2016
My mail server has been blacklisted by several major e-mail providers
because of backscatter spam generated by my Mailman installation:
(1) Spammers harvest the "listname-request at domain.com" address from a
public Web page (presumably the Mailman admin page).
(2) Spam with forged "From:" headers is sent to
"listname-request at domain.com".
(3) Mailman sends "subscribe confirmation" messages to the addressees in
the forged "From" fields.
How can I stop this? I am willing to give up "subscribe to this list by
e-mail", and require all subscriptions to be via the Web.
I used to use, and manage, mailing lists that handled all subscribe and
unsubscribe requests by e-mail. But now almost all genuine subscription
requests to my lists are made through the Web interface.
(I also used to run e-mail auto-responders, for example to send an FAQ in
response to any e-mail message sent to a special e-mail address. I have
stopped them all, for similar reasons -- they were attracting spam with
forged "from" addresses, thus generating spam to those "from" addresses.)
I have found several discussions of variants of this issue on this list,
going back at least 10 years. But so far as I can tell, there is not yet a
simple option in the Web admin (or a config file) for each Mailman list,
"Accept subscription requests by e-mail? Yes/No".
I understand that this may take time to implement, but this problem has
been known for a very long time. I would like to see this put on the
feature request list, however that is done. In the meantime, I need a
workaround if I am to continue using Mailman at all.
I would still prefer to have e-mail confirmation of new subscriptions, but
I don't think that would cause as much of a backscatter problem: The
"-request" address can be harvested form the public Web, but the
"-confirm" address would be much less likely to do so.
But if it is simpler to implement, it would be OK to require new
subscriptions to be confirmed through the Web interface.
Temporarily, I have completely disabled the list that was attracting spam
to its "-request" address. This isn't a viable long-term option.
Is there any workaround, either through the Web interface or by editing
Mailman configuration files, to disable the "-request" address or cause
all mail to that address to be dropped without generating a reply?
FWIW, I am using Mailman through Plesk, which offers it as an option.
Plesk knows that "-request" is already in use by Mailman, and won't let me
create that address or alias or manage it except through Mailman.
Thanks in advance for any advice you can offer,
<edward at hasbrouck.org>
"The Practical Nomad: How to Travel Around the World" (5th ed., 2011)
Consultant to The Identity Project:
GnuPG/PGP public key:
0B0B 8F74 CEA3 83AB 97B3 F6AF BB7E F636 165C 22F5
More information about the Mailman-Users