[Mailman-Users] Spam / Email Spoofing Problem (SPF check possible?)

[Stephen J. Turnbull]

Valentin Schwarze via Mailman-Users writes:

 > I am the administrator of some mailman lists of the student
 > self-administration of our university. We happend to have some spam
 > issues on our mailman lists. These spammers were able to send
 > emails on our lists through mail spoofing (only faking the From:
 > field in the header is sufficient to get accepted). With a faked
 > sender email adress, which was in accept_these_nonmembers of the
 > list, they were to send spam mails on the lists.

It is helpful if you tell us more about the mail flows you *want*
to go to the lists.  For example, perhaps these addresses are in
accept_these_nonmembers because the lists are one-way, going from a
small number of allowed posters (eg, committee chairpersons) to the
subscribers (eg, committee members).  In that case it would be
possible to give the allowed posters a password, which is included a
line of the form "Approved: PASSWORD", either in the message header,
or as the very first line of the message, which Mailman will remove
before distributing.  (The message header method is preferred, because
many clients produce HTML which makes it unreliable to remove the
Approved line.  This isn't a problem in the header.  But many users
may not know how to add such a line to their header.)  This method can
be very effective, depending on the list configutation and the
sophistication of the allowed posters.

If the list configuration is different, there may be other ways.  The
only generic way to prevent spam is full-on content and source
filtering based on known features of spam and known spam sources.
Host-based authentication (SPF and DKIM) may be a solution depending
on your users' habits, but as others have pointed out, these are best
done in the MTA before passing the post to Mailman.

Steve