mailman responds to mail with no valid command
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
High
|
Mark Sapiro |
Bug Description
Mailman at the -request aliases respond to any mail sent to the addresses, even if the mail did not contain any valid command. That can easily be abused by spammers: they send mail with forged from address to a -request alias, and mailman "bounces" it back to the forged sender. Firstly, it is some kind of annoying backscatter which should be stopped, secondly if the forged address happens to be a spamtrap one (or the backscatter is reported), it results the mailman server landed on a blacklist.
It happened two times with our listserver and SpamCop.
The attached patch introduces the discard_
Please consider applying: it's really bad to be blocked by an RBL.
Changed in mailman: | |
status: | In Progress → Fix Committed |
Changed in mailman: | |
status: | Fix Committed → Fix Released |
Thanks for the report and suggested patch. This is only part of the larger backscatter from Mailman issue which will be addressed in Mailman 2.2. Your patch is helpful for this.
I'm leaning towards making all these thing controlled by site (mm_cfg.py) rather that list settings because ultimately they affect the entire mail server, not just a list or lists. Thus, as you understand, they should be controlled by a site admin, not a list owner.
If some of these settings actually need to be list settings (something I haven't gotten to yet), perhaps a compromise such as leaving them out of the GUI and requiring the non-default to be set by config_list or withlist is appropriate.
Do you really have a need for this to be a list rather than a site setting?