[Mailman-Users] Mailman suddenly passing through spam from the -bounces addresses

[Rusty Newton]

Hi!

New to the list! I'm the community support manager at the Asterisk project.

We've used mailman for ages and we are on 2.1.14 at the moment. I
rarely get too deep with mailman other than the administration
interface. It mostly works and we don't touch much underneath.

Recently I started receiving a lot of spam on the mailman-bounces@
addresses where the From address no longer contains the
mailman-bounces@ address and instead contains the spammer's address.

In this case the spam doesn't look like bounce traffic. I'm wondering
if someone can help me identify why mailman might let it through? From
reading documentation and the mailman mail archives I get the
impression that it should be discarding this traffic. However I can't
identify why it isn't discarding this non-bounce traffic.

Here is one example of the spam that comes to the owners addresses via
mailman-bounces:

http://pastebin.com/u2HyNLw6

The list in question has all three bounce notification options set to *no*.

That is:

bounce_unrecognized_goes_to_list_owner
bounce_notify_owner_on_disable
bounce_notify_owner_on_removal

With these three options disabled - should I expect mailman to relay
spam like this to the list owners through mailman-bounces@ ?

Is there a way to tell mailman to not send anything from mailman-bounces?

Preferably I'd like to have mailman only pass through legitimate
bounce messages. If that isn't possible then I'd like to find out how
to disable the traffic from mailman-bounces completely.

If I haven't provided enough information, let me know and I'll do my
best to get it for you. Thanks in advance.

-- 
Rusty Newton