[Mailman-Users] Administrivia Messages

[Mark Sapiro]

Beau Barnhart wrote:
>
>We have been asked by mail-abuse.org to make changes to the configuration
>to one of our servers.  The following this their request...


Actually, the request understates the problem. See below.


>-- message from mail-abuse.org ----------
>
>Currently, when messages arrive at your mail server it runs them through
>SpamAssassin, which checks for spam and tags them. Your mail server then
>passes this tagged message to mailman.
>
>Because it is to a -request address, mailman "knows" that these messages
>should contain commands.  It ignores the fact that SpamAssassin has
>already tagged it (Subject: {Definitely Spam?}), and looks through every
>line looking for a "subscribe", "unsubscribe" or other command.
>
>Of course, it doesn't find one.  So, it builds up a helpful reply, sets
>the X-Administrivia header to yes, and appends the original message, and
>forwards this to the From: address.
>
>Except that the From: address is forged, so the message, and its spam
>payload, get sent to an innocent third party.


And, this would occur even if spamassassin/MailScanner/whatever didn't
tag the subject. In fact, if the message is truly spam with a forged
From:, the likelyhood that the subject contained a valid command
before tagging is small. And even if it did contain a valid command,
there is normally some reply from Mailman to the (forged) sender in
any case.

This backscatter problem is well known, and it is a serious issue.
Mailman 3 will address this to some degree.


>Please properly configure your mailing list software to send list
>administrivia _only_ to a local administrator, or configure it not to send
>to forged From: addresses.  In general, there is no need for "list
>administrivia" - it was an artifact of some of the original list
>management software.  It does not serve a useful purpose today.
>
>----------------------------
>
>Actually we use administrivia in custom scripts and don't want to disable
>it.  We even have members that still use the request commands.
>
>I've searched the mailman wiki as well as the mailman-users archive and
>have not been able to find how to configure the administrivia recipient.
>
>Any help would be appreciated.


There's not much you can do in Mailman 2.1.x, at least as far as
configuration options go. You can disable the administrative
addresses, but you say you don't want to do that. Changing the
disposition of replies or their content requires code modification.

I really should implement a site option to not include original message
content in auto responses. I meant to do it before now, but haven't.
Maybe I can get to it for 2.1.15.

For more on this issue, see the thread "before next release: disable
backscatter in default installation" beginning at
<http://mail.python.org/pipermail/mailman-developers/2008-March/019804.html>.

One thing you can do is configure your MTA to not accept likely spam at
SMTP time or simply discard (not reject) it if it was already
accepted, or maybe do this only for Mailman recipient addresses if you
don't want to do it universally. If you use MailScanner, it shouldn't
be too difficult to concoct an appropriate rule set for this.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan