FAQ
Hi,

SPAM email where the from address appears as the list itself is
bypassing the list rules for posting and is automatically accepted.

Is this a mailman feature? Does it always approve mail coming from
itself? Should it?

How can I stop it without turning emergency moderation on (not sure if
this will stop them or not)?


Thanks,

Nuno

Search Discussions

  • John A. Martin at Aug 14, 2003 at 1:56 pm

    "Nuno" == Nuno Serra
    "[Mailman-Users] SPAM getting through on moderated lists"
    Wed, 13 Aug 2003 22:16:20 +0200
    Nuno> Hi, SPAM email where the from address appears as the list
    Nuno> itself is bypassing the list rules for posting and is
    Nuno> automatically accepted.

    Hmm.... That makes for IMHO an interesting question. Since many, if
    not most MTAs can be configured to reject mail from specific envelope
    senders, usually specified as regular expressions, the question is

    what if any envelope senders related to mailman lists (and not
    from our local {host,net}) can be rejected by an MTA that is
    dedicated to handling incoming mail for only the lists.

    It is advantageous to reject unwanted mail during the SMTP
    conversation rather than later.

    It should be pretty easy to cause a MTA reject all incoming mail from
    non-local relays with any envelope sender address appearing among the
    Mailman aliases.

    Will this do no harm?

    Nuno> How can I stop it without turning emergency moderation on
    Nuno> (not sure if this will stop them or not)?

    If the list shows up as a header sender, have you looked at "Hold
    posts with header value matching a specified regexp" among the Privacy
    Options?

    jam
  • Ed Wilts at Aug 14, 2003 at 3:09 pm

    On Thu, Aug 14, 2003 at 09:56:49AM -0400, John A. Martin wrote:
    Hmm.... That makes for IMHO an interesting question. Since many, if
    not most MTAs can be configured to reject mail from specific envelope
    senders, usually specified as regular expressions, the question is

    what if any envelope senders related to mailman lists (and not
    from our local {host,net}) can be rejected by an MTA that is
    dedicated to handling incoming mail for only the lists.

    It is advantageous to reject unwanted mail during the SMTP
    conversation rather than later.

    It should be pretty easy to cause a MTA reject all incoming mail from
    non-local relays with any envelope sender address appearing among the
    Mailman aliases.
    This sounds like a good and safe thing to configure, but I'm not enough
    of a sendmail expert to write those rules. What would one look like to
    allow, for example, a mail message to list at foo.com to only come from an
    MTA in the foo.com domain?

    Thanks,
    .../Ed

    --
    Ed Wilts, Mounds View, MN, USA
    mailto:ewilts at ewilts.org
  • John A. Martin at Aug 14, 2003 at 4:34 pm

    "Ed" == Ed Wilts
    "Re: [Mailman-Users] SPAM getting through on moderated lists"
    Thu, 14 Aug 2003 10:09:46 -0500
    Ed> What would one look like to allow, for example, a mail message
    Ed> to list at foo.com to only come from an MTA in the foo.com
    Ed> domain?

    I don't do Sendmail anymore. One way to do this with a recent Postfix
    would be something like the following which is untested but should
    work for a dedicated MTA on the same host as Mailman.

    1. Check that 'postconf mynetworks' gives 127.0.0.0/8 plus whatever
    IPs from which you do _not_ want to block SMTP 'mail from:
    <list at foo.com>'. NB. If 'mynetworks' includes MX backup hosts mail
    arriving therefrom will not be blocked by what follows.

    2. Cause something like the following to be run as root either
    whenever the Mailman aliases are modified or, less well,
    periodically by cron. This converts the Mailman aliases file,
    excluding the loop detection alias, into a Postfix access table.

    egrep -v '^$|^#|^mailman-loop'</var/lib/mailman/data/aliases|
    sed 's/^\([^:]*\):.*$/\1 550 Bogus Mail From/'>
    /etc/postfix/check-list-bmf
    postmap /etc/postfix/check-list-bmf

    The above bash script assumes Mailman and Postfix installed from
    recent Debian packages.

    3. In /etc/postfix/main.cf

    smtpd_recipient_restrictions =
    ...
    permit_mynetworks
    ...
    check_sender_access hash:/etc/postfix/check-list-bmf
    ...
    permit

    Something similar should be easy with Sendmail, right? :)

    It still needs to be determined whether the above will do no harm.

    HTH

    jam
  • John A. Martin at Aug 15, 2003 at 12:18 pm

    "jam" == John A Martin
    "Re: [Mailman-Users] SPAM getting through on moderated lists"
    Thu, 14 Aug 2003 12:34:21 -0400
    jam> 2. Cause something like the following to be run as root
    jam> either whenever the Mailman aliases are modified or, less
    jam> well, periodically by cron. This converts the Mailman
    jam> aliases file, excluding the loop detection alias, into a
    jam> Postfix access table.

    jam> egrep -v
    jam> '^$|^#|^mailman-loop'</var/lib/mailman/data/aliases|
    jam> sed 's/^\([^:]*\):.*$/\1 550 Bogus Mail
    jam> From/'> /etc/postfix/check-list-bmf
    jam> postmap /etc/postfix/check-list-bmf

    jam> The above bash script assumes Mailman and Postfix
    jam> installed from recent Debian packages.

    That is pure rubbish. I should never post untested anything that even
    looks like a script or suchlike. I'm too prone to big oversights as
    above.

    The above produces 'email-address-pattern action' pairs from the
    aliases using only the 'name' part of the alias which does not (in
    general) give an appropriate 'email-address-pattern' for the Postfix
    access table. The script above could be modified to produce an
    'email-address-pattern' of the form 'name at domain.tld' which would
    work. However, if the Postfix/Mailman host is dedicated to the
    mailing lists with a hostname like lists.example.com and
    it also serves Postfix style virtual domain for mailing lists
    something like lists.foo.tld then the Postfix access table could look
    something like

    ,----[ /etc/postfix/check-list-bmf ]
    lists.example.com 550 Bogus Mail From
    lists.foo.tld 550 Bogus Mail From
    lists.bar.tld 550 Bogus Mail From
    `----

    with a line for the Mailman host and each Postfix style virtual domain
    used for Mailman lists. This access table needs maintenance (postmap)
    only when virtual domains are added or removed. When employed in the
    context

    jam> 3. In /etc/postfix/main.cf

    jam> smtpd_recipient_restrictions jam> ...
    jam> permit_mynetworks
    jam> ... check_sender_access
    jam> hash:/etc/postfix/check-list-bmf
    jam> ...
    jam> permit

    this will reject incoming mail using SMTP 'mail from:' our host or any
    of the FQDN hostnames used for (Postfix style) mail virtual domains.
    This should AFICT do no harm.

    The Sendmail equivalent should also be even easier without using the
    aliases, no?

    HTH

    jam

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedAug 13, '03 at 8:16p
activeAug 15, '03 at 12:18p
posts5
users3
websitelist.org

People

Translate

site design / logo © 2022 Grokbase