Beau Barnhart wrote:
We have been asked by mail-abuse.org to make changes to the configuration
to one of our servers. The following this their request...

Actually, the request understates the problem. See below.

-- message from mail-abuse.org ----------

Currently, when messages arrive at your mail server it runs them through
SpamAssassin, which checks for spam and tags them. Your mail server then
passes this tagged message to mailman.

Because it is to a -request address, mailman "knows" that these messages
should contain commands. It ignores the fact that SpamAssassin has
already tagged it (Subject: {Definitely Spam?}), and looks through every
line looking for a "subscribe", "unsubscribe" or other command.

Of course, it doesn't find one. So, it builds up a helpful reply, sets
the X-Administrivia header to yes, and appends the original message, and
forwards this to the From: address.

Except that the From: address is forged, so the message, and its spam
payload, get sent to an innocent third party.

And, this would occur even if spamassassin/MailScanner/whatever didn't
tag the subject. In fact, if the message is truly spam with a forged
From:, the likelyhood that the subject contained a valid command
before tagging is small. And even if it did contain a valid command,
there is normally some reply from Mailman to the (forged) sender in
any case.

This backscatter problem is well known, and it is a serious issue.
Mailman 3 will address this to some degree.

Please properly configure your mailing list software to send list
administrivia _only_ to a local administrator, or configure it not to send
to forged From: addresses. In general, there is no need for "list
administrivia" - it was an artifact of some of the original list
management software. It does not serve a useful purpose today.


Actually we use administrivia in custom scripts and don't want to disable
it. We even have members that still use the request commands.

I've searched the mailman wiki as well as the mailman-users archive and
have not been able to find how to configure the administrivia recipient.

Any help would be appreciated.

There's not much you can do in Mailman 2.1.x, at least as far as
configuration options go. You can disable the administrative
addresses, but you say you don't want to do that. Changing the
disposition of replies or their content requires code modification.

I really should implement a site option to not include original message
content in auto responses. I meant to do it before now, but haven't.
Maybe I can get to it for 2.1.15.

For more on this issue, see the thread "before next release: disable
backscatter in default installation" beginning at

One thing you can do is configure your MTA to not accept likely spam at
SMTP time or simply discard (not reject) it if it was already
accepted, or maybe do this only for Mailman recipient addresses if you
don't want to do it universally. If you use MailScanner, it shouldn't
be too difficult to concoct an appropriate rule set for this.

Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
postedFeb 1, '11 at 11:45p
activeFeb 1, '11 at 11:45p

1 user in discussion

Mark Sapiro: 1 post



site design / logo © 2022 Grokbase