[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mailman and spam
Hi -
> From: "Matthew J Zekauskas" <matt@internet2.edu>
> To: <wgchairs@ietf.org>
> Cc: "Randy Presuhn" <randy_presuhn@mindspring.com>
> Sent: Friday, August 22, 2003 11:00 AM
> Subject: Re: mailman and spam
>
> did it actually go out the mailing list? (I'm on DISMAN,
> and I don't think I saw it... but on the other hand, my
> local spamassassin installation may have classified it for me
> and I may have just tossed without noticing it was from the
> list.)
As far as I can tell, it did. I received a copy in my own mailbox
with all the usual disman list headers, but *without* the "[Disman]"
that would normally appear in the subject line.
> Some of the archive addresses (e.g. disman-web-archive or
> disman-archive) are also on these lists, so it's possible
> that the mail goes into the archive without ever getting
> on the list. (It's definitely happened for ippm.)
Majordomo ("out-of-box") had this vulnerability. We were able
to avoid the problem by having the majordomo scripts invoke
sendmail using a private sendmail.cf and aliases so that someone
sending directly to disman-list@example.com would simply
bounce. We further limited things by putting the archives on a
firewall-protected host so that SMTP traffic could get there only
from the list host. I don't know enough about mailman to know
whether similar vulnerabilities and work-arounds apply.
Randy