[Mailman-Users] Spam to list-owner

Brad Knowles brad at shub-internet.org
Fri Dec 19 09:03:55 CET 2008 

on 12/18/08 6:15 PM, Marvin Humphrey said:

> I run a couple software support mailing lists on a site that's been around for
> a decade or so.  I'm the only admin, and an avalanche of spam crashes down on
> me every day.  

Welcome to the club.

> Ideally, I'd like to simply turn off the list-owner addresses and get internal
> notifications (such as oversize moderation messages) sent to a private
> address.  However, I understand that it is not possible to configure Mailman
> that way.

One thing to keep in mind is that you're also looking at long-standing 
Internet tradition here.  RFC 2142 only says that you MUST have a 
list-request address for each list, but having a list-owner address goes 
back about as far.  And this list-owner address is not just for the 
convenience of you and your users, it's also for other admins at other 
sites who may have reason to try to contact you.

So, you run the risk that you may wind up with some very ticked off 
postmasters out there at other sites, if you eliminate this address. 
And I say this as the co-author of the booklet "Internet Postmaster: 
Duties and Responsibilities".

> Therefore, I would like to know the easiest way to accomplish these two goals:
> 
> 1) Eliminate any public reference to the list-owner address, so that there is
>    no implied offer of support.  There's the MM-Mailman-Footer for the three
>    public html pages, which I can hand-edit.  I think that does it, right?

That doesn't really solve the problem.  Anyone, anywhere can easily 
guess list-owner and list-request and list-bounces, etc... for any given 
list address.

> 2) Create a filter for messages sent to list-owner that only passes mail
>    generated by Mailman itself.

Mailman will never generate mail to the list-owner address.  It will 
receive mail that is addressed to list-owner and will re-route that 
internally as appropriate, but it will never itself send e-mail to the 
actual list-owner address.

That would be like you using your right hand to shake your own left hand.

> In a perfect world, I would offer a higher level of support, but my users are
> sophisticated enough to handle a certain amount of troubleshooting, and my
> contact information isn't hard for humans to discover.  Indeed, those very
> users would *want* me to lighten my administrative burden so that I can spend
> more time adding features and fixing bugs.

Generally speaking, one of the best things you can do to lighten your 
burden is to have a good anti-spam system incorporated into your MTA, so 
that you block that ~95% of e-mail that is actually spam from ever being 
accepted by your machine in the first place.  If it's never accepted by 
the MTA, then it can't get through to Mailman, and then passed on to you.

 From there, you need good content filters on your own personal e-mail 
system, so even if spam gets through the MTA on the server and through 
Mailman to list-owner, there's a good chance it will get caught by the 
downstream filters protecting your personal e-mail and you won't have to 
see or deal with it.


Speaking as one of the members of the python.org postmaster team, and as 
the primary active listowner for all the official mailman-* mailing 
lists hosted on python.org, I can tell you that another really useful 
thing is to bring in more people to help you do your work.

In your case, you might want to have more than one person helping with 
the list moderator work, and take most of that burden off your shoulders 
for having to deal with spam.  That would leave you with just the 
listowner work, although as listowner you could always choose to take on 
some of the list moderator work, if you want.

I also help with postmaster and listmaster duties on another site, which 
is much smaller than python.org.  But I wind up doing way, way more work 
over there, simply because I'm really the only guy doing any of it. 
We've got a new guy we're bringing onboard, and I'm hoping he can help 
offload some of this work in addition to the other stuff we're asking 
him to do.  But in the meanwhile, I'm really the only guy dealing with 
the deluge on a daily basis.

-- 
Brad Knowles
<brad at shub-internet.org>        If you like Jazz/R&B guitar, check out
LinkedIn Profile:                 my friend bigsbytracks on YouTube at
<http://tinyurl.com/y8kpxu>    http://preview.tinyurl.com/bigsbytracks

More information about the Mailman-Users mailing list