On Mon, Apr 05, 1999 at 11:41:35AM -0500, "Jennifer L. Snell" <jennifer_snell@email.msn.com> wrote:
> Last week, we had an interesting experience with our Majordomo lists when a
> sensitive email was accidentally directed out to one of the majordomo
> aliases.
Lucky you. Two weekends ago a mailing list which I host was spammed. It
has 46,000 subscribers. I'm still getting complaints.
> I'm up in arms about what happened here. I've worked with Majordomo for
> three years now and I KNOW that the list config file is right. Does anybody
> know of a bug in Majordomo or some sort of a hack that can get around the
> security features?
Sure - send email direct to the -outgoing alias. There's no protection on
it at all (unless you obfuscate it by calling it something else, but it's
still going to appear in the Received headers if you're using sendmail,
and security by obscurity isn't really security). There is no Majordomo
protection on -outgoing aliases, at all, period. This is one of the
problems which is being addressed in the new version of Majordomo
currently under development.
I'm (now) protecting my lists' -outging alisaes using Postfix asmy MTA
with PCRE (Perl Compatible Regular Expressions) support. This lets me
tell the mail server to reject all email to addresses which end in -out or
-outgoing for my domains with the message "550 Use [list]@[domain] instead.".
There may be some way to do this in sendmail, but I'd switched to Postfix
anyways because it's faster.
Bryan
--
Bryan Fullerton http://www.samurai.com/
Owner, Lead Consultant http://www.feh.net/
Samurai Consulting http://www.icomm.ca/
"No, we don't do seppuku." Can you feel the Ohmu call?
References:
|
|
