[Mailman-Users] spam issue

[Mark Sapiro]

Luke Daly wrote:

>I have a large list (22000) users. it is configured with the following settings :
>Action to take when a moderated member posts to the list. = Discard
>Action to take for postings from non-members for which no explicit action is defined. = Discard
>All users are moderated except where they are an administrator or moderator.


This is the problem. Did you see Brad's reply at
<http://mail.python.org/pipermail/mailman-users/2008-April/061236.html>
to your previous post.

This is not a secure way to set up an announcement list. Anyone can
send a post to the list spoofing the From: as one of the
admin/moderator addresses. This might even happen accidentally with
spam sent to a list spoofing the From: and just by chance hitting one
of the unmoderated addresses.


The secure way to handle posting to an announce list is to moderate
everyone. Then if you want to discard or reject posts from members,
you post from non-member addresses which you add to
hold_these_nonmembers, and then have an admin/moderator approve the
held post.

Alternatively, if you want to be able to post without the post being
held, the authorized posters need to know the list moderator password.
They then put the header

Approved: password

where 'password' is the list admin or moderator password either as an
actual header in the post or as the first line of the first plain text
part of the posted message. This is discussed in Brad's reply and in
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.011.htp>
which he referred to and also in
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.034.htp>.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan