On Sun, 13 Oct 2002, Michael Talbot-Wilson wrote to Majordomo Users:
> I have a list that has restrict_post set so that only members of the
> list can send messages to it.
> I am not a member, but I, and presumably any spammer, can send to the
> list via the $LIST-list alias. That is how easy it is to subvert
> I am wondering if others are doing something about this, for example, if
> it is not really normal practice to use "-list". Do you use some munged
> substitute used instead?
There are several things you need to do. The details depend somewhat on
what MTA you use, but the following assumes you use Sendmail. Let's
assume the list is "email@example.com".
1) The "-list" alias doesn't have to be "-list", it can be anything. One
approach is to name it something that isn't so obvious. This isn't
limited to Sendmail systems.
2) No matter what you name that alias, you also need to prevent it from
appearing in the full headers of list messages. Instead of something like
pcusers: "|/usr/local/majordomo/wrapper resend -l pcusers pcusers-list"
Do this instead:
pcusers: "|/usr/local/majordomo/wrapper resend -l pcusers pcusers-list,nobody"
When the alias is expanded, the latter form will prevent "pcuser-list"
from appearing in the header.
3) If you use Sendmail's "virtusertable" feature, you should add an entry
like this for each of your Majordomo lists:
firstname.lastname@example.org error:nouser User unknown
Then if someone tries to send to your "-list" alias (or whatever you
called it), Sendmail will reject the message. However this DOES NOT
prevent normal alias expansion, so messages sent to the correct list
address (email@example.com) will still go through.
See /cf/README in your Sendmail source distribution for details on
If you set up your list as a closed list (using restrict_post) plus the
measures described above, it will be very difficult for a non-subscriber
to post to your list.
Chip Old (Francis E. Old) E-Mail: firstname.lastname@example.org
Manager, BCPL Network Services Phone: 410-887-6180
Manager, BCPL.NET Internet Services FAX: 410-887-2091
320 York Road
Towson, MD 21204 USA