[Mailman-Users] spam proof announcement style list

[Mark Sapiro]

Stephanie Westbrook wrote:
>
>I've just configured my first announcement style list. There will only 
>be a few people on the list without the moderator bit set and I have it 
>set to hide the sender's address will default to "announce at dom.ain"
>
>And I set it so that messages from non members are rejected and 
>new members are always moderated.
>
>Is this safe? Have I taken care of everything?


It is fairly safe, but it could be safer. The issue here is that anyone
can post by spoofing the address of one of the unmoderated posters.
Since you have the list set to anonymous, these addresses won't be
totally obvious, but they still might be available for example in the
"list run by" link at the bottom of the listinfo page.

Also, with various malware harvesting addresses from people's address
books it is even possible that some malware might mail itself to the
list while spoofing an authorized poster.


>I read about having everyone moderated but don't really understand 
>how it is supposed to work. If this is a better solution, could 
>someone explain? Does it mean that the few people allowed to post 
>on the list will have to go in and approve their messages each time?


This is the safer way to do it. Everyone is moderated and any ordinary
post will be rejected no matter who it is from. Authorized posters
need to know the list password and put the line

Approved: list_password

either as a header if their MUA allows this conveniently or as the
first body line of the post. This allows the post to go directly to
the list. Note that if you put the Approved: line in the body, follow
it with a blank line as at least some Mailman versions remove the
following line when removing the Approved: line.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan