On Mon, Feb 20, 2006 at 09:57:53AM -0500, Randolph Baden wrote: > Well, I don't really know much about majordomo or anything, but I do know > that it's really easy to spoof e-mail addresses. Do they check more than > just the sender's e-mail address? If so, what? Of course, that would mean > that the spammers would somehow need to know the e-mail address of someone > on the list, but maybe there's a way to find that out too...
That's an astute point, and something that's concerned the anti-spam community for years. Just about everyone running a mailing list, whether via majordomo or mailman or ezlm or anything else, is relying on a very weak "authentication" mechanism for incoming traffic: the sender's putative email address. (And the converse is true as well: many members of mailing lists are relying on a very weak "authentication" mechanism for identifying list traffic: List-Id, "Sender:" header, "Subject" prefix, or similar.) I'm pretty convinced at this point that the only reason we haven't seen massive exploitation of this by spammers is that it hasn't been necessary or desirable. But were it to become so, spammers certainly have the technical expertise to pull it off, and the ready availability of the requisite data (whether via publicly-accessible list archives, exposed mailboxes, mail stored on compromised systems, etc.) would give them exactly what they need to make it work. This is a problem.
