[Mailman-Users] What is the best way to avoid fake senders?

Fri Apr 2 20:38:47 CEST 2010

On 4/1/2010 10:35 PM, Δημήτριος Καραπιπέρης wrote:
> 
> I am investigating ways how to avoid any fake senders trying to get
> through and approach my recipients.
> 
> I concluded the following
> a) use envelope_sender to figure out the sender

If you're thinking of the mm_cfg.py setting USE_ENVELOPE_SENDER = Yes,
it probably doesn't do what you think. It controls the search order for
the Mailman.Message.Message.get_sender() method. If USE_ENVELOPE_SENDER
= No, the order is From: header, Sender: header, envelope sender, and if
USE_ENVELOPE_SENDER = Yes, the order is Sender: header, From: header,
envelope sender.

In the case of most spam messages, there will be no Sender: header, so
get_sender() will return the address in the From: header regardless of
the USE_ENVELOPE_SENDER setting.

However, the main thing is that the get_sender() method is not what is
used to determine if a post is from a list member. It is used to
determine the sender to match against *_these_nonmembers, but only after
the post is determined to be not from a member.

Determining if a post is from a list member is done by calling the
Mailman.Message.Message.get_senders() method (note get_senders, not
get_sender) and checking each address in the returned list until either
a member address is found or the list is exhausted. The addresses
returned by get_senders() are controled by the setting of SENDER_HEADERS
which defaults to ('from', None, 'reply-to', 'sender') which means
return the addresses from (in this order)
 the From: header
 the envelope sender
 the Reply-To: header
 the Sender: header.
If any of those is a list member, the post is determined to be from that
member. Thus, if you want only to test the envelope sender for list
membership, you would need to put

SENDER_HEADERS = (None,)

in mm_cfg.py, but even this may not help, as spammers spoof envelope
senders too. Also, it makes it difficult for list members to post from
alternate addresses by including Reply-To: their member address.

> b) moderate all posts

Is this a discussion list or a one-way, announce type list? If it's an
announce type list, moderate everyone and post using an Approved:
header. See the FAQ at <http://wiki.list.org/x/3YA9> for more detail.

If this is a discussion list and spammers are spoofing member addresses
in order to post, there's not much you can do in Mailman. Moderating
everyone works, but it is a burden for moderators. The best approach is
to have effective spam filtering ahead of Mailman.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan