[Mailman-Users] Spam to "-request" address generating backscatter spam

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Tue Dec 13 06:54:34 EST 2016

Edward Hasbrouck writes:

 > (2) Spam with forged "From:" headers is sent to 
 > "listname-request at domain.com".

 > How can I stop this? I am willing to give up "subscribe to this list by 
 > e-mail", and require all subscriptions to be via the Web.

Set Privacy Options | subscribe_policy to "Require approval".

If you don't like that because of lots of subscribes, the easiest
thing to do if you actually have control over your installation is to
remove the alias in the MTA.  How to do that in Plesk, I don't know.
Probably can't, then you have to talk to your hosting service.

Everything else I can think of requires changing code or access to the
Mailman config files.  Again you'll have to talk to your host.

 > I understand that this may take time to implement, but this problem has 
 > been known for a very long time. I would like to see this put on the 
 > feature request list, however that is done.

There is no feature request list for Mailman 2 any more.  If Mark
has time and thinks it's not too invasive, it might happen, but he's
getting more and more involved with Mailman 3.  For Mailman 3, it
would be


Use tags "wishlist" and "security" I think.  (Note, AFAIK "security"
doesn't mean "privileged info" on Gitlab's tracker, it's just a tag
for any issue with our privacy or malware mitigation stuff.)

 > Is there any workaround, either through the Web interface or by editing 
 > Mailman configuration files, to disable the "-request" address or cause 
 > all mail to that address to be dropped without generating a reply?

This really is something that should be done in the MTA.  I understand
that you probably don't have access to your MTA's configs, but that's
not our fault.  From our point of view, making this change adds to the
complexity of Mailman configuration for all our users (site admins,
list owners, and subscribers).  It's already quite confusing, and only
going to get worse as we add DKIM, SPF, DMARC, ARC, ....

 > FWIW, I am using Mailman through Plesk, which offers it as an option. 

Consider changing to a service that's more expensive but doesn't make
you unreasonable for making a support request.  Plesk (and cPanel) are
a good idea in principle, but unfortunately the spammers, phishers,
and other miscreants, malefactors, and felons put paid to that.  It
doesn't really matter what you do, if you take input from the
Internet, you need to be able to reconfigure quickly and flexibly in
response to exploits.  Those "control panels" don't offer that, and
probably cannot.

More information about the Mailman-Users mailing list