[prev in list] [next in list] [prev in thread] [next in thread] 

List:       majordomo-users
Subject:    [majordomo-users] The daily digest for majordomo-users. V6 #313
From:       majordomo-users-owner () greatcircle ! com
Date:       2004-09-30 8:26:29
Message-ID: 20040930082643.4D86932C5CB () mycroft ! greatcircle ! com
[Download RAW message or body]

The daily digest for majordomo-users. 
Volume 6 : Issue 313 : "text" Format

Messages in this Issue:
  Re: Problem with resend ?

----------------------------------------------------------------------

Date: Thu, 30 Sep 2004 00:11:25 -0400
From: Ruben Safir Secretary NYLXS <ruben@mrbrklyn.com>
To: Ruben Safir Secretary NYLXS <ruben@mrbrklyn.com>
Cc: majordomo-users@greatcircle.com
Subject: Re: Problem with resend ?
Message-ID: <20040930041125.GB4537@www2.mrbrklyn.com>

I found this in the FAQ (which needs a more step by step explanaiton BTW)
	
But this is not the problem I face.  Spammer send mail from what 
apears directly in the FROM line of the mail header which is the
incoming alias for the list

-------------------------------------------------------------------
3.6 - How can I restrict a list such that only subscribers can send mail to the list?
See the restrict_post variable in the config file. Just set it to the filename that \
holds the list of subscribers, which is just simply the name of the list. \
("restrict-post = listname"). However, there is an issue to keep in mind. Majordomo \
works by filtering the messages coming in through the "listname" alias, doing its \
dirty work, then passing the resulting message out to another alias you define like \
"listname-outgoing". If you trust people to not send mail directly to the \
"listname-outgoing" alias, then you'll be fine. If however you're not trusting, there \
are several steps to make sure people don't bypass the restrictions of the list.

There are several methods. First you need to change your "listname-outgoing" alias \
such that it is not obvious. (That means don't use something easy to guess like \
"-outgoing" or "-list"). Next, you need to make it such that people can't find out \
what your -outgoing alias is.

You can use the "@filename" directive of resend. Put the all the normal command-line \
options of resend into a file readable only by the majordomo user/group. Then the \
alias for the list simply becomes ".../resend @/path/to/filename". This will make it \
such that you can't find out the -outgoing address by connecting to your mailer and \
doing an EXPN or VRFY. The "@filename" directive seems to have fallen into \
undocumentation for some reason. This should be fixed in future releases. This \
doesn't prevent a user reading the local /etc/aliases file (if they can), however.

Another approach is to simply disable EXPN or VRFY altogether. See the documentation \
for your mailer on how to do this. In sendmail this is done by adding "noexpn" to the \
"O PrivacyOptions=" line in your sendmail.cf (multiple options are separated with a \
comma). However this doesn't prevent a local user reading the aliases file. This \
isn't generally a problem if your mail server is restricted to staff only users.

Unfortunately, Sendmail 8.x will log your -outgoing alias in the "Received:" lines. \
To prevent this you need to specify more than one address for the list name argument \
to resend. (for example "mylist:|"/usr/local/lib/majordomo/wrapper resend -h foo.org \
-l mylist mylist-seekrit,nobody"" where nobody is an alias for /dev/null) For \
Sendmail 8.x you must not define an alias 'owner-mylist-seekrit' to be something like \
'owner-mylist,' (with the comma). Otherwise sendmail will set the envelope address of \
outgoing mail to contain your secret outgoing alias. Again if you're using the \
@filename directive, the entire command line is simply put into the specified file \
(starting with "-h foo.org ...".

		Here's another creative idea from matt@primefactor.com (Matt Perry):

		I've had a report that this no longer works with sendmail 8.9.1, but that it does \
work with 8.9.3.

		Sendmail allows you to rewrite incoming and outgoing addresses. The one that \
handles incoming is virtualusertable.text. For a list called test with the \
test-outgoing alias, I put the following into my virtualusertable.text file and \
remade the db with the appropriate command:

		test-outgoing@mydomain.com      error:nouser User unknown

		Sendmail can still get to the alias and expand it into the list of recipients. \
However, any mail that appears at port 25 marked for test-outgoing@mydomain.com will \
bounce back with "User unknown".

		Finally it should be noted that it is impossible with any of these methods above to \
prevent people from forging mail as someone who is subscribed to the list, and \
sending to the list that way. Of course a spammer can also subscribe to the list \
legitimately and then send spam. The restrict_post option blocks the vast majority of \
problems, however.



		
	On Wed, Sep 29, 2004 at 11:55:39PM -0400, Ruben Safir wrote:
> Hello
> 
> There has to be a way to secure majordomo from spam and hide alias address
> better than me constantly changing the alias name.
> 
> Is there a solution for this?
> 
> Ruben
> 
> -- 
> __________________________
> Brooklyn Linux Solutions
> 
> So many immigrant groups have swept through our town 
> that Brooklyn, like Atlantis, reaches mythological 
> proportions in the mind of the world  - RI Safir 1998
> 
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://fairuse.nylxs.com
> 
> http://www.mrbrklyn.com - Consulting
> http://www.inns.net <-- Happy Clients
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles \
> from around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown \
> Brooklyn....

-- 
__________________________
Brooklyn Linux Solutions

So many immigrant groups have swept through our town 
that Brooklyn, like Atlantis, reaches mythological 
proportions in the mind of the world  - RI Safir 1998

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://fairuse.nylxs.com

http://www.mrbrklyn.com - Consulting
http://www.inns.net <-- Happy Clients
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from \
around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown \
Brooklyn....


------------------------------

End of [majordomo-users] The daily digest for majordomo-users. V6 #313
**********


[prev in list] [next in list] [prev in thread] [next in thread]