[Mailman-Developers] Re: Indirect Spam Vulnerability
Donal Hunt
donal.hunt2 at mail.dcu.ie
Fri Jun 20 13:35:14 EDT 2003
I've actually seen this result in a mail loop between two mailing lists
on the same server (both moderated). As a result it can cause a DOS
attack (slowing down the machine considerably). This was with Mailman
2.0, so 2.1 may resolve the problem...
It's only happened once in 5 years (which i guess is fortunate!) but it
something that should be looked at for current realeses if it's still
possible to recreate...
Regards
Donal
DCU
Matt wrote:
> I thought I'd describe a spam problem related to mailman I'm having
> and propose the solution. If anyone can tell me one way or another
> whether mailman avoids this "spam attack" I would appreciate it.
>
> I have two lists: foo at myhost.com
> moderated at myhost.com
>
> The spammer sends forged as foo at myhost.com to moderated at myhost.com.
> Themail gets held for approval and a message gets sent to
> foo at myhost.com informing it that the message has been held (often
> times the subject line is mentioned and contains lewd content which
> I'd rather not have sent out to subscribers on foo at myhost.com). This
> is why I used the word 'indirect spam'.
>
> Couldn't mailman redirect bounce/moderation notifications in the case
> where the FROM address is a mailman list and send it to the site/list
> administrator instead (or maybe drop it completely??)? I think this
> would avoid spamming the list subscribers while adding a minor load to
> the administrator's work.
>
> Does mailman 2.1.x already do this? If not, would this break
something > in mailman? Is it unreasonably restrictive on the site/list
> administrator(s)?
>
> I'm running 2.0.x (debian stable iirc)
>
> Thanks,
> -Matt Helsley
More information about the Mailman-Developers
mailing list