Recently an address at yahoo.com subscribed to a large number of mailing lists and then sent spam messages to them. Because the address was subscribed to the mailing list Mailman was configured to send the messages along without delay and without filtering.
I would like to set default_member_moderation to yes on all of the mailing lists. That setting sets the hold for moderation bit for new subscribers until it is cleared manually. The effect is that someone can subscribe but their first posting will be held for human review the same as a non-subscriber. Once they have posted a message and a human listhelper has reviewed it they would clear the moderate bit for that address. Subsequent mail messages from them would be passed through without delay and without filtering the same as it is done now. On many of the mailing lists the default_member_moderation is already set to yes to protect against this problem. I always set it on the mailing lists that I watch to closely. But so far it is far from globally implemented. By doing this initial hold it would avoid the types of spam attacks that we are vulnerable to at this moment. I fear that because of the popularity of Mailman more attackers might automate this process and slip more spam through the system. I think we should ensure that default_member_moderation is set on every list. What do you think? Bob
