O/H Mark Sapiro έγραψε:
On 4/1/2010 10:35 PM, Δημήτριος Καραπιπέρης wrote:
I am investigating ways how to avoid any fake senders trying to get
through and approach my recipients.
I concluded the following
a) use envelope_sender to figure out the sender
If you're thinking of the mm_cfg.py setting USE_ENVELOPE_SENDER = Yes,
it probably doesn't do what you think. It controls the search order for
the Mailman.Message.Message.get_sender() method. If USE_ENVELOPE_SENDER
= No, the order is From: header, Sender: header, envelope sender, and if
USE_ENVELOPE_SENDER = Yes, the order is Sender: header, From: header,
envelope sender.
In the case of most spam messages, there will be no Sender: header, so
get_sender() will return the address in the From: header regardless of
the USE_ENVELOPE_SENDER setting.
However, the main thing is that the get_sender() method is not what is
used to determine if a post is from a list member. It is used to
determine the sender to match against *_these_nonmembers, but only after
the post is determined to be not from a member.
Determining if a post is from a list member is done by calling the
Mailman.Message.Message.get_senders() method (note get_senders, not
get_sender) and checking each address in the returned list until either
a member address is found or the list is exhausted. The addresses
returned by get_senders() are controled by the setting of SENDER_HEADERS
which defaults to ('from', None, 'reply-to', 'sender') which means
return the addresses from (in this order)
the From: header
the envelope sender
the Reply-To: header
the Sender: header.
If any of those is a list member, the post is determined to be from that
member. Thus, if you want only to test the envelope sender for list
membership, you would need to put
SENDER_HEADERS = (None,)
in mm_cfg.py, but even this may not help, as spammers spoof envelope
senders too. Also, it makes it difficult for list members to post from
alternate addresses by including Reply-To: their member address.
b) moderate all posts
Is this a discussion list or a one-way, announce type list? If it's an
announce type list, moderate everyone and post using an Approved:
header. See the FAQ at <http://wiki.list.org/x/3YA9> for more detail.
If this is a discussion list and spammers are spoofing member addresses
in order to post, there's not much you can do in Mailman. Moderating
everyone works, but it is a burden for moderators. The best approach is
to have effective spam filtering ahead of Mailman.
Thanks Mark.
This reply will help a lot of people.
Are there any other ways including maybe the MTA (eg. Postfix) or other
techniques such as client certificates that can add an extra layer of
security against fake senders, who
are not only spammers but also malicious users.
thanks
Dimitrios
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org