>>>>> "tm" == toni mclennan <tonimac@beam.com.au> writes:
tm> Just so you are aware of this problem.... A spammer can post to a
tm> majordomo list by sending mail directly to the list-outgoing alias, and
tm> avoiding calling up the majordomo scripts altogether.
This is not an absolute. Of course it can be hidden well and this works
for most cases where you don't require absolute security. If you want
absolute security, you can play various tricks with the $mailer variable,
to do things like:
*) call sendmail with a separate aliases file, so that the outgoing alias
is not available to normal sendmail invocations.
*) call something besides sendmail that can read the addresses from the
file and pass them on appropriately. bulk_mailer can be made to do
this. I wrote a package called TLB which can also do this, but I no
longer support it. (I believe it was too difficult to configure, since
it did much more than just eliminate outgoing aliases.)
I use the second method; my lists simply do not have outgoing aliases. The
rewrite of Majordomo that I am developing also doesn't have them.
tm> Any ideas, anyone?
The problem has been raised and solved long ago.
- J<
References:
|
|
