Dave Wolfe wrote:
>
> [ Noah White writes: ]
> >
> > I'm trying to set up a list from which only certain people can post
> > to. I set it up such that in the config file it looks for a file to get
> > a list of authorized addresses. In doing so I noticed that X-Sender
> > gets tacked on to the headers and that anyone with Netscape can forge
> > this address nullifying any protection this gives.
>
> Resend doesn't pay any attention to X-Sender.
>
> > So I decided to use the approval header as a further protection.
> > This works but I've come across a broader flaw in that in the Recieved
> > header shows what the outgoing alias is. Anyone who wishes to post to
> > the list could bypass the resend alias and go directly to the outgoing
> > aliases (which as I said it posted in the Recieved header). Thus
> > bypassing all checks.
>
> Note that if you put the Approval header in the body and don't provide a
> subsequent To header (in the body, separated from the real body by a
> blank line) you'll get Apparently-To headers. Stick with restrict_post.
>
> > Is there any whay to protect from this?
>
> [ This is a canned message ]
>
> Here's how you hide your actual mail list alias from list spammers:
Thanks for the info but I think this still does not solve the problems
of the Received header showing what the outgoing list alias name is.
> 4. In the parameter file, specify more recipients than just the
> outgoing list alias, e.g.:
>
> -l testlist
> -h foo.bar.com
> testlist-uzpl,nobody
For instance the above would still produce a header which contained:
Received:(from majordom@localhost) by myhost.com (8.7.5/8.7.3) id
OAA08794 for testlist-uzpl; Tue, 24 Sep 1996 14:31:05-0400 (EDT)
Thus exposing the alias and allowing someone to directly mail it.
-Noah
Follow-Ups:
References:
|
|
