[Mailman-Users] list of lists fodder for spammers?
Greg Westin
greg at gregwestin.com
Sun Jan 26 21:44:13 CET 2003
> As for the list names being mined for spam, I've found that the biggest
> worry is the web-enabled archives.
It doesn't seem very likely to me that spammers would find the list
addresses in the archives. Obviously, the addresses of posters are
there (these can be obscured in 2.1, right?), but I don't see the list
addresses anywhere. Our problem with spam going to lists... obviously,
we don't want individuals getting spam, either, but our current concern
is about lists being spammed.
> Mailman's features can help a little against spam. You can set your
> lists so that they only accept mail from either a list member or from a
> user on the local domain.
That's an interesting idea... I assume we can set it to accept from
list members and some given set of domains? That might be a very
appropriate thing to implement. Thanks.
Greg
> Good Luck - Jon Carnes
>
> On Sun, 2003-01-26 at 12:26, Greg Westin wrote:
>> Hello Mailman folk,
>>
>> I work with a group that provides services to student groups at a
>> university, and we're concerned that a lot of the lists have been
>> picking up spam lately. The prime suspect, at this point, is
>> Mailman's
>> publishing of list names. If you can provide any input on how to
>> alleviate this problem, please let me know. I'm copying below a
>> message (slightly modified) from one of the more knowledgeable people
>> I
>> work with:
>>
>> ---
>> My real concern with the behavior of the
>> listinfo and admin scripts is that they publish the list of lists
>> not only when invoked without arguments, but also if invoked on a
>> non-existent list name. Because apache can be configured to reject
>> outside of ourdomain.edu or wherever requests for
>> "http://lists.ourdomain.edu/mailman/listinfo",
>> while still allowing
>> "http://lists.ourdomain.edu/mailman/listinfo/hcs-discuss",
>> but what if spammers start generating random list names and sending,
>> e.g.,
>> "http://lists.ourdomain.edu/mailman/listinfo/sp4m"? No way to
>> stop such attacks except for Mailman to change its behavior (which
>> the patched version on lists.ourdomain currently does).
>> ---
>>
>> The patched version he's referring to simply denies access to
>> /mailman/listinfo (but not to /mailman/listinfo/valid-list-name) to
>> every request not from our domain. It's an ugly hack, but it's
>> generally fine because students will almost always be working from a
>> university computer, except perhaps when home on vacation.
>>
>> Thanks for any help. Please reply off-list if you're getting this via
>> mailman-developers, as I'm not subscribed to that list. I am on
>> mailman-users, though.
>>
>> Greg Westin
>> --
>> http://www.gregwestin.com
>> Contact info: http://www.gregwestin.com/contact.php
>>
>>
>> ------------------------------------------------------
>> Mailman-Users mailing list
>> Mailman-Users at python.org
>> http://mail.python.org/mailman/listinfo/mailman-users
>> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>> Searchable Archives:
>> http://www.mail-archive.com/mailman-users%40python.org/
>>
>> This message was sent to: jonc at nc.rr.com
>> Unsubscribe or change your options at
>> http://mail.python.org/mailman/options/mailman-users/jonc%40nc.rr.com
>
>
>
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
>
> This message was sent to: greg at gregwestin.com
> Unsubscribe or change your options at
> http://mail.python.org/mailman/options/mailman-users/
> greg%40gregwestin.com
>
--
http://www.gregwestin.com
Contact info: http://www.gregwestin.com/contact.php
More information about the Mailman-Users
mailing list