On Sun, 13 Oct 2002 19:19:05 +0930 (CST) Michael Talbot-Wilson <mtw@birdseye.view.net.au> wrote:
> I have a list that has restrict_post set so that only members of the
> list can send messages to it.
>
> I am not a member, but I, and presumably any spammer, can send to the
> list via the $LIST-list alias. That is how easy it is to subvert
> restrict_post.
>
> I am wondering if others are doing something about this, for example,
> if it is not really normal practice to use "-list". Do you use some
> munged substitute used instead?
a lot of folks munge the outbound addresses. if your MTA doesn't permit
othe security measures, it's probably essential to do something like this.
it's security-by-obscurity, and it's often feasible for a member of the
list to figure out what the munged address is, but 99% of the subscribers
won't be able to figure it out.
on the other hand, some MTAs will permit you to take other measures which
are more reliable than munging the outbound addresses. i use exim, which
allows me to set up a separate alias file for the outbound addresses and
attach conditions to that separate alias file, prohibiting non-local access
to the aliases contained in it. other modern MTAs may be able to do the
same. i have little-to-no postfix experience, and no serious contact with
sendmail since about 1996.
i just wrote up a howto on majordomo & exim 4.x for exim folks. it is at
http://www.averillpark.net/exim/majordomo.html
richard
--
Richard Welty
rwelty@suespammers.org Averill Park Networking
rwelty@averillpark.net Unix, Linux, IP Network Engineering, Security
rwelty@krusty-motorsports.com 518-573-7592
References:
|
|
