[Mailman-Users] rejecting spam disables local subscribers on remote lists

James Ralston qralston+ml.mailman-users at andrew.cmu.edu
Wed Jul 19 19:53:41 CEST 2006 

We recently implemented a policy such that any incoming message that
scores higher than 10 with SpamAssassin is rejected at our MX servers
with:

    550 5.7.0 message not delivered due to suspect content

We've discovered that this policy has interaction problems with
recipients at our site who are subscribed to external mailing lists.
Here's what happens:

    1.  Someone at our site is subscribed to a random Mailman mailing
        list on the Internet.

    2.  The owners of the mailing list have made little to no attempt
        to filter spam.  As a result, the mailing list passes on spam
        to subscribers at our site.

    3.  We detect the spam that Mailman attempts to relay to our
        subscribers and reject it per above.

    4.  Mailman, upon receiving the bounces, assumes that the messages
        bounced because the recipient addresses are no longer valid,
        and disables and/or removes them.

    5.  Our users, upon being given the brush-off by Mailman at the
        remote site, blame us.

The fundamental problem is that the owners of the mailing list, by not
taking steps to protect their list from spam, are essentially
operating an opt-in spam amplification and relaying system.  But given
that we have no control over how these individuals [mis]manage their
mailing lists, we are pondering how to best address this issue on our
end.

I just looked at Mailman/Bouncers/DSN.py, to see if Mailman was
looking at the Status field of the message/delivery-status part, but
alas, Mailman only pays attention to the Action field.  Therefore, no
matter what we return as the DSN code, Mailman will assume that any
permanent failure occurred because the recipient address was invalid.

One possibility would be to not reject incoming messages if they
appear to be from Mailman.  (We use David Skoll's excellent MIMEDefang
package, so we easily have this capability.)  But spammers are a
devious and clever lot; I have no doubts that they'd quickly realize
that they could bypass our spam blocking simply by adding a few
Mailman headers to their messages.

Another possibility would be to allow our recipients to opt out of the
spam rejecting.  But this is a last-ditch option.

Have others encountered this situation?  If so, how did you deal with
it?

Thanks,
James

More information about the Mailman-Users mailing list