[Mailman-Users] How hard is it to spoof an email?

Jp Possenti jp at pifiu.com
Sun Jan 29 22:50:00 CET 2006 

So basically what you are saying is that Mailman is very insecure? (in
short)

You say I should not have my admin email as a list member. By that you mean
"listname at domain.com" which is the default address as the admin?

If so then what am I supposed to create, and why would creating one make a
difference?

Also which email clients support the KIM and/or SPF standards?

Kind regards,
 
Jp Possenti


-----Original Message-----
From: Jim Popovitch [mailto:jimpop at yahoo.com] 
Sent: Sunday, January 29, 2006 4:31 PM
To: jp at pifiu.com
Cc: mailman-users at python.org
Subject: Re: [Mailman-Users] How hard is it to spoof an email?

Jp Possenti wrote:
> How hard would it be for someone to maliciously start sending all the
users
> in my list emails or start deleting people from it by sending bounce
errors

It's not hard at all.  In fact it's quite easy.  This is because the raw 
archive data is available to the public.  See this FAQ: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.066.htp

> or by spoofing the admin email and start emailing everyone on the list?

That's not hard at all either, although you probably shouldn't have your 
admin email as a list member.  Of course, the spammer could just use any 
of your subscribers email addresses including the valid ones that 
haven't posted in 4 years (*cough*, *cough*).  See the recent "Verifying 
posts" thread.

> Is this a common problem, or is mailman secure about it? What are some
ways
> to help avoid any problems?

Use an MTA that supports DKIM and/or SPF.  These standards help to 
verify who the sender is.  So if bob at aol.com posts to your list, SPF 
will verify that the email came from an approved aol.com server, not 
something like 24.16.8.101-home.dsl.cox.net.  DKIM takes it a step 
further and adds an encrypted email header "key" that is carried with 
the email during it's entire journey through multiple servers.  This key 
enables every "hop" to validate the email, whereas SPF is just 
point-to-point validation based on email header info (which can very 
easily be modified in transit).

> Please explain carefully and with plenty of details as I am still figuring
> things out.

Heck, that should be SOP for everyone.  ;-)

-Jim P.

More information about the Mailman-Users mailing list