Am 20.12.2023 um 17:26:25 Uhr schrieb Thomas Schmitt: > A while ago this list had a problem with fake bounces. A troll managed > to convince the list server that some of the subscribers would reject > the list mails. I am not familiar with the exact technical properties > of that attack and how it was finally disabled by the listmasters.
Bounces go to the address in the Return-Path header Return-Path: <bounce-debian-user=mm=dorfdsl...@lists.debian.org> As you can see the address is unique to the subscriber. You can look how normal bounce look like and send such a message to the address in Return-Path. One possibility to mitigate that is to check SPF of the domain of the included address, in that example the list server could check of the server sending the bounce is listed in the SPF of dorfdsl.de - and if not - reject the message.
