Great Circle Associates Majordomo-Users
(October 2002)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Sending to *-list alias
From: Chip Old <fold @ bcpl . net>
Date: Sun, 13 Oct 2002 10:57:50 -0400 (EDT)
To: Majordomo-Users <Majordomo-users @ greatcircle . com>
In-reply-to: <Pine.LNX.4.44.0210131902050.4166-100000@chameleon.view.net.au>

On Sun, 13 Oct 2002, Michael Talbot-Wilson wrote to Majordomo Users:

> I have a list that has restrict_post set so that only members of the
> list can send messages to it.
>
> I am not a member, but I, and presumably any spammer, can send to the
> list via the $LIST-list alias.  That is how easy it is to subvert
> restrict_post.
>
> I am wondering if others are doing something about this, for example, if
> it is not really normal practice to use "-list".  Do you use some munged
> substitute used instead?

There are several things you need to do.  The details depend somewhat on
what MTA you use, but the following assumes you use Sendmail.  Let's
assume the list is "pcusers@abc.com".

1) The "-list" alias doesn't have to be "-list", it can be anything.  One
approach is to name it something that isn't so obvious.  This isn't
limited to Sendmail systems.

2) No matter what you name that alias, you also need to prevent it from
appearing in the full headers of list messages.  Instead of something like
this:

pcusers: "|/usr/local/majordomo/wrapper resend -l pcusers pcusers-list"

Do this instead:

pcusers: "|/usr/local/majordomo/wrapper resend -l pcusers pcusers-list,nobody"

When the alias is expanded, the latter form will prevent "pcuser-list"
from appearing in the header.

3) If you use Sendmail's "virtusertable" feature, you should add an entry
like this for each of your Majordomo lists:

pcusers-list@abc.com   error:nouser User unknown

Then if someone tries to send to your "-list" alias (or whatever you
called it), Sendmail will reject the message.  However this DOES NOT
prevent normal alias expansion, so messages sent to the correct list
address (pcusers@abc.com) will still go through.

See /cf/README in your Sendmail source distribution for details on
virtusertable.

If you set up your list as a closed list (using restrict_post) plus the
measures described above, it will be very difficult for a non-subscriber
to post to your list.

-- 
Chip Old (Francis E. Old)             E-Mail:  fold@bcpl.net
Manager, BCPL Network Services        Phone:   410-887-6180
Manager, BCPL.NET Internet Services   FAX:     410-887-2091
320 York Road
Towson, MD 21204  USA



References:
Indexed By Date Previous: Re: Sending to *-list alias
From: Richard Welty <rwelty@suespammers.org>
Next: Bounce Command
From: VACList Admin <admin@vintageairstream.com>
Indexed By Thread Previous: Re: Sending to *-list alias
From: Richard Welty <rwelty@suespammers.org>
Next: Bounce Command
From: VACList Admin <admin@vintageairstream.com>

Google
 
Search Internet Search www.greatcircle.com