Hello, sorry if this is a dumb observation, but recent spam to the posting address of on of our lists (fortunately a moderated distribution-only list) has prompted some test on my part. I have then noticed that the confirm address (listname-confirm [EMAIL PROTECTED]) and the request address ([EMAIL PROTECTED]) act as mirrors to the alleged envelope sender, sending back the whole email after the parsed commands. Until now no spammers have used this, but sooner or later they will.
For the "confirm" case I suppose a solution would be to only reply to confirm strings that are in the database and only if the envelope sender IS the one associated to the particular confirm string. For the "request" case instead the situation is more complex. The reply should only be generated if the sender is a subscriber to the list, unless, of course, the subject is "subscribe". If it is a subscribe though the body of the message does not contain the original body and the damage is limited. In this "subscribe" case perhaps a throttling or maximum number or outstanding subscription requests would be a good idea. Of course this might be in the latest release but I did not find mention in the list. Thank you Giuliano _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
