[Mailman-Developers] Indirect Spam Vulnerability
Barry Warsaw
barry at python.org
Thu Jun 19 00:35:36 EDT 2003
On Wed, 2003-06-18 at 18:38, Matt Helsley wrote:
> I have two lists: foo at myhost.com
> moderated at myhost.com
>
> The spammer sends forged as foo at myhost.com to moderated at myhost.com. The
> mail gets held for approval and a message gets sent to foo at myhost.com
> informing it that the message has been held (often times the subject line
> is mentioned and contains lewd content which I'd rather not have sent out
> to subscribers on foo at myhost.com). This is why I used the word 'indirect
> spam'.
Nice. :(
> Couldn't mailman redirect bounce/moderation notifications in the case
> where the FROM address is a mailman list and send it to the site/list
> administrator instead (or maybe drop it completely??)? I think this would
> avoid spamming the list subscribers while adding a minor load to the
> administrator's work.
>
> Does mailman 2.1.x already do this? If not, would this break something in
> mailman? Is it unreasonably restrictive on the site/list administrator(s)?
Mailman doesn't do this, and it's not a bad idea. Of course, the best
you can do is prevent indirect spam within the same Mailman instance.
Another approach would be to set up a "suspicious header" hold on
"Message-ID: <mailman." which is always added by the routines that
Mailman uses to send out mail. IWBNI you could actually configure
Mailman to drop such messages.
-Barry
More information about the Mailman-Developers
mailing list