[prev in list] [next in list] [prev in thread] [next in thread]
List: majordomo-users
Subject: [majordomo-users] The daily digest for majordomo-users. V6 #313
From: majordomo-users-owner () greatcircle ! com
Date: 2004-09-30 8:26:29
Message-ID: 20040930082643.4D86932C5CB () mycroft ! greatcircle ! com
[Download RAW message or body]
The daily digest for majordomo-users.
Volume 6 : Issue 313 : "text" Format
Messages in this Issue:
Re: Problem with resend ?
----------------------------------------------------------------------
Date: Thu, 30 Sep 2004 00:11:25 -0400
From: Ruben Safir Secretary NYLXS <ruben@mrbrklyn.com>
To: Ruben Safir Secretary NYLXS <ruben@mrbrklyn.com>
Cc: majordomo-users@greatcircle.com
Subject: Re: Problem with resend ?
Message-ID: <20040930041125.GB4537@www2.mrbrklyn.com>
I found this in the FAQ (which needs a more step by step explanaiton BTW)
But this is not the problem I face. Spammer send mail from what
apears directly in the FROM line of the mail header which is the
incoming alias for the list
-------------------------------------------------------------------
3.6 - How can I restrict a list such that only subscribers can send mail to the list?
See the restrict_post variable in the config file. Just set it to the filename that \
holds the list of subscribers, which is just simply the name of the list. \
("restrict-post = listname"). However, there is an issue to keep in mind. Majordomo \
works by filtering the messages coming in through the "listname" alias, doing its \
dirty work, then passing the resulting message out to another alias you define like \
"listname-outgoing". If you trust people to not send mail directly to the \
"listname-outgoing" alias, then you'll be fine. If however you're not trusting, there \
are several steps to make sure people don't bypass the restrictions of the list.
There are several methods. First you need to change your "listname-outgoing" alias \
such that it is not obvious. (That means don't use something easy to guess like \
"-outgoing" or "-list"). Next, you need to make it such that people can't find out \
what your -outgoing alias is.
You can use the "@filename" directive of resend. Put the all the normal command-line \
options of resend into a file readable only by the majordomo user/group. Then the \
alias for the list simply becomes ".../resend @/path/to/filename". This will make it \
such that you can't find out the -outgoing address by connecting to your mailer and \
doing an EXPN or VRFY. The "@filename" directive seems to have fallen into \
undocumentation for some reason. This should be fixed in future releases. This \
doesn't prevent a user reading the local /etc/aliases file (if they can), however.
Another approach is to simply disable EXPN or VRFY altogether. See the documentation \
for your mailer on how to do this. In sendmail this is done by adding "noexpn" to the \
"O PrivacyOptions=" line in your sendmail.cf (multiple options are separated with a \
comma). However this doesn't prevent a local user reading the aliases file. This \
isn't generally a problem if your mail server is restricted to staff only users.
Unfortunately, Sendmail 8.x will log your -outgoing alias in the "Received:" lines. \
To prevent this you need to specify more than one address for the list name argument \
to resend. (for example "mylist:|"/usr/local/lib/majordomo/wrapper resend -h foo.org \
-l mylist mylist-seekrit,nobody"" where nobody is an alias for /dev/null) For \
Sendmail 8.x you must not define an alias 'owner-mylist-seekrit' to be something like \
'owner-mylist,' (with the comma). Otherwise sendmail will set the envelope address of \
outgoing mail to contain your secret outgoing alias. Again if you're using the \
@filename directive, the entire command line is simply put into the specified file \
(starting with "-h foo.org ...".
Here's another creative idea from matt@primefactor.com (Matt Perry):
I've had a report that this no longer works with sendmail 8.9.1, but that it does \
work with 8.9.3.
Sendmail allows you to rewrite incoming and outgoing addresses. The one that \
handles incoming is virtualusertable.text. For a list called test with the \
test-outgoing alias, I put the following into my virtualusertable.text file and \
remade the db with the appropriate command:
test-outgoing@mydomain.com error:nouser User unknown
Sendmail can still get to the alias and expand it into the list of recipients. \
However, any mail that appears at port 25 marked for test-outgoing@mydomain.com will \
bounce back with "User unknown".
Finally it should be noted that it is impossible with any of these methods above to \
prevent people from forging mail as someone who is subscribed to the list, and \
sending to the list that way. Of course a spammer can also subscribe to the list \
legitimately and then send spam. The restrict_post option blocks the vast majority of \
problems, however.
On Wed, Sep 29, 2004 at 11:55:39PM -0400, Ruben Safir wrote:
> Hello
>
> There has to be a way to secure majordomo from spam and hide alias address
> better than me constantly changing the alias name.
>
> Is there a solution for this?
>
> Ruben
>
> --
> __________________________
> Brooklyn Linux Solutions
>
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://fairuse.nylxs.com
>
> http://www.mrbrklyn.com - Consulting
> http://www.inns.net <-- Happy Clients
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles \
> from around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown \
> Brooklyn....
--
__________________________
Brooklyn Linux Solutions
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://fairuse.nylxs.com
http://www.mrbrklyn.com - Consulting
http://www.inns.net <-- Happy Clients
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from \
around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown \
Brooklyn....
------------------------------
End of [majordomo-users] The daily digest for majordomo-users. V6 #313
**********
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic