[Mailman-Users] Are there any known exploits in 2.1.5 rerequestemail address and spamming?
Mark Sapiro
mark at msapiro.net
Mon Sep 22 18:33:41 CEST 2008
Martin Evans wrote:
>Mark Sapiro wrote:
>>
>> If I understand correctly what you are saying, spam is being sent to
>> the list-request address with a From: header containing an innocent
>> 3rd party address. The response from Mailman, which contains the
>> original message, is sent to the innocent 3rd party.
>
>Actually that is not the case. It appears spam is sent to the request
>address and it ends up being sent to an innocent 3rd party without any
>mailman text at all. It is difficult for me to diagnose this as my mail
>server has been blacklisted by so many places I've had to disable
>mailmain completely. I saw lots of emails coming in to the request
>address and caught some of the identical emails stuck on my outgoing
>mail queue due to failure to send. What happened in between I cannot say
>right now.
Do your MTA logs or the outgoing queue entries give any clues. I'd be
interested in the timing of the messages to the -request address
relative to the outgoing messages, and the envelope sender of the
outgoing messages.
I don't know of any way that Mailman would resend a message from the
-request address without Mailman added text.
>I don't really want to start mailman up again as we cannot
>afford to be black listed since we do most of our business online and
>after a weekend of not spamming people we may get off some of the black
>lists.
>
>> Current Mailman through 2.1.11 will behave the same. These issues will
>> be addressed in 2.2.
>>
>> In the mean time, the best solution is effective spam filtering ahead
>> of Mailman. Barring that, you can disable the -request and perhaps
>> other support addresses and force everyone to use the web for
>> subscribing, confirming, etc.
>>
>
>That is a reasonable alternative I'll look in to.
Also, see the FAQ at <http://wiki.list.org/x/NQAy>.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list