[ Tony Fathers writes: ]
>
> I ran a little test to see if it was possible to bypass the moderation for
> a list. It was. How? Easy.
[...]
> Does this mean we are doing something wrong? Is there really a big hole
> here? Does 1.94.1 overcome the problem?
Probably the best way is to do away with the "outgoing" alias altogether
by using Jason's TLB, but here's the traditional way:
[ This is canned message hide Sun Sep 24 15:32:30 CDT 1995 ]
Here's how you hide your actual mail list alias from list spammers:
1. Pick a non-obvious outgoing list alias name, e.g. "testlist-uzpl"
instead of "testlist-outgoing".
2. Turn off EXPN and VRFY in sendmail.cf (Opnoexpn,novrfy).
3. Use a parameter file for resend parameters:
testlist: "|/.../wrapper resend @/.../testlist.parms"
4. In the parameter file, specify more recipients than just the
outgoing list alias, e.g.:
-l testlist
-h foo.bar.com
testlist-uzpl,nobody
(Don't forget to alias "nobody" to /dev/null.)
5. Don't allow any more file permissions than absolutely necessary on
any of the Mj files and/or don't allow user logons on the Mj server
machine and don't export the file system where the Mj files live.
I.e., is it *really* necessary to have world read permissions on
anything but the subscriber list file itself? I get along fine with
0660 on all the list.* files and 0664 on the list files.
--
Dave Wolfe
Follow-Ups:
References:
|
|
