[Mailman-Developers] list of lists fodder for spammers?

Greg Westin greg at gregwestin.com
Sun Jan 26 12:26:15 EST 2003


Hello Mailman folk,

I work with a group that provides services to student groups at a 
university, and we're concerned that a lot of the lists have been 
picking up spam lately.  The prime suspect, at this point, is Mailman's 
publishing of list names.  If you can provide any input on how to 
alleviate this problem, please let me know.  I'm copying below a 
message (slightly modified) from one of the more knowledgeable people I 
work with:

---
My real concern with the behavior of the
listinfo and admin scripts is that they publish the list of lists
not only when invoked without arguments, but also if invoked on a
non-existent list name.  Because apache can be configured to reject
outside of ourdomain.edu or wherever requests for
"http://lists.ourdomain.edu/mailman/listinfo",
while still allowing
"http://lists.ourdomain.edu/mailman/listinfo/hcs-discuss",
but what if spammers start generating random list names and sending, 
e.g.,
"http://lists.ourdomain.edu/mailman/listinfo/sp4m"?  No way to
stop such attacks except for Mailman to change its behavior (which
the patched version on lists.ourdomain currently does).
---

The patched version he's referring to simply denies access to 
/mailman/listinfo (but not to /mailman/listinfo/valid-list-name) to 
every request not from our domain.  It's an ugly hack, but it's 
generally fine because students will almost always be working from a 
university computer, except perhaps when home on vacation.

Thanks for any help.  Please reply off-list if you're getting this via 
mailman-developers, as I'm not subscribed to that list.  I am on 
mailman-users, though.

Greg Westin
--
http://www.gregwestin.com
Contact info: http://www.gregwestin.com/contact.php




More information about the Mailman-Developers mailing list