[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Matt Morgan minxmertzmomo at gmail.com
Thu Jul 19 18:51:42 EDT 2018


Thanks, everyone, for the thoughtful comments on my tiny little spam
problem! I've returned from my day job and will look at Mark's diagnosis
suggestions.

Best,
Matt

On Thu, Jul 19, 2018 at 6:43 PM, John Levine <johnl at taugh.com> wrote:

> In article <1ca714d0-da89-aa23-d247-4faa2133b591 at msapiro.net> you write:
> >DMARC checks won't help prevent posts that spoof a member address unless
> >every list member's domain publishes a DMARC policy of quarantine or
> >reject, and even then it only checks the From: domain and not the domain
> >of other addresses Mailman might use to determine list membership.
> >
> >Further, a post with spoofed local part sent by someone in the same
> >domain might pass DMARC if sent via the domain's servers.
>
> That's all true, and if you want bullet proof spoof resistance, you'd
> have to register PGP or S/MIME keys for the subscriber and require
> that she sign all her mail.
>
> On the other hand, a lot of domains do DKIM signing or publish SPF,
> and the vast majority of fake From: headers I see are from botnets,
> not malicious users down the hall from the victim.  So if someone is
> experiencing a lot of botnet spoofage, a setting to say that a user's
> mail will be authenticated by SPF or DKIM from domain X would get you
> about 90% of the effect of S/MIME signing everything with 10% of the
> grief.
>
> R's,
> John
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/
> mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/
> minxmertzmomo%40gmail.com
>


More information about the Mailman-Users mailing list