[Mailman-Developers] Patch for Mail Archive mirroring
Brad Knowles
brad at stop.mail-abuse.org
Sat Apr 30 23:56:03 CEST 2005
At 2:33 PM -0400 2005-04-30, Tobias Eigen wrote:
> The described patch to Mailman is very interesting, though, and I'm glad
> it's been done. I haven't tried the patch, but from what I'm hearing the
> issue of it appearing to endorse one or other archives can be dealt with
> by making the feature customizable - i.e. have a control line where
> mailman admins can configure whatever external archiver they want, with
> completely configurable fields: the name/description of the archiver and
> the email address to automatically add. The mail-archive and gmane
> options would be included as examples but commented out.
This assumes that the patch could be modified so as to be
generally applicable across all external archiving systems, and the
comments from Lars at Gmane have already indicated that's not
possible.
This is a nice idea, but I don't think it's going to be that
easy. Sure, you might be able to generalize the patch to a certain
degree, but there would be many hurdles. Recall the post from Jeff
Marshall at 30 Apr 2005 10:37:15 -0700 where he mentioned that RFC
2369 only allows for one List-Archive: URL.
> Without opening a can of worms, hopefully, let me close with one last
> thought. I realize this has probably been discussed ad nauseum in other
> places, but there's a bit of a flaw in all this. Email addresses can be
> faked, and so an archiver based on email is going to be fraught with
> problems - or at least a whole lot of spam on the archives once the
> spammers figure out how it works.
Anything based on e-mail is going to be vulnerable. Whether this
is a mailing list, a mailing list archiving system, or anything else.
> On our own system, we use Mailman's
> own archiver subsystem for gatewaying messages to our Fud Forum
> (http://www.fudforum.org). Another way I've tried successfully is
> through the use of an email address made up of random characters that
> gets delivered to Fud. That works fine, and since the list is on
> Kabissa (managed by me) and the Fud is on Kabissa, the likelihood of
> spammers getting in by spoofing addresses is pretty low.
External mailing list archiving systems would be likely to be
reasonably secure. No one else would have any reason to know what
address of theirs was subscribed to the mailing list, and it would be
difficult to brute-force that. Moreover, it would be easy for them
to implement a greylist-style mechanism where incoming posts from the
mailing list are required to be sent by one or more given IP
addresses, thus securing them from most sorts of inbound spoofs to
the archive, even if the subscribed address could be discovered.
If you're concerned about addresses being lifted from the
archive, that's also reasonably easy to secure -- mail-archive.com
has one example, but there are plenty of others.
Of course, spammers could always subscribe to the list and then
post their spam, and viruses would be able to look in the outbox of a
user's MUA and then send new messages with virus content attached to
those same recipients, and either of these types of posts would be
likely to get through to the recipients of the list.
One way to mitigate this problem is to require approval before a
subscriber is allowed to finish the process to subscribe. Another is
to make users moderated by default, so that their postings require
approval before they get through to the list.
Of course, there are always the mechanisms that Mailman provides
for doing content stripping of MIME bodypart types, and I believe
that these sorts of things should be done by default.
I think we've already got some pretty good tools in this area.
If you wanted to go further, you could require that all
subscribers post via cryptographically signed messages, but then that
would be vulnerable to the virus problem where the malware takes over
the user's MUA and sends out messages in their name.
I guess you could always run a completely closed system, whereby
people could access a webmail-type system on your servers, or use a
forum-based solution on the same machines, but I think that defeats
much of the purpose of a mailing list management system, which is to
take content as it comes in and to distribute that out to the various
recipients so that they can read that at their leisure on their own
systems.
There might be other anti-spam security mechanisms which you
could employ, and I'd welcome hearing about them.
Then there are all the system-level anti-spam mechanisms, such as
greylisting, rules-based message scoring systems like SpamAssassin,
fingerprint-based content reporting/detection systems such as
DCC/Razor/Pyzor, and others. Of course, all of these sorts of things
would be outside of the mailing list management system, and not a
part of Mailman.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the Mailman-Developers
mailing list