Mark is right. The spamming process was to scrape the listinfo page and locate the "list is run by" line and then de-obfuscate the "j.knight at keele.ac.uk" into " j.kni...@keele.ac.uk". Then an email was faked using j.kni...@keele.ac.uk as the sender to see if the list is either unmoderated or whether the administrator had set their own email address as unmoderated on a moderated list.
There's not a lot that can be done to protect against that other than changing the "list is run by" so that the administrators real email address isn't obvious. Jon. On 15 May 2017 at 23:19, Barry Warsaw <ba...@list.org> wrote: > On May 15, 2017, at 11:03 AM, Mark Sapiro wrote: > > >It's not done in Mailman 3. > > > >For mailman 2.1, the administrator email addresses are a mailto: link the > >goes to the LISTNAME-owner address, but the email addresses are exposed > and > >only mildly obfuscated ('@' -> ' at '). > > > >I would consider adding a configuration option to either obfuscate the > >addresses further (e.g. drop the domain entirely) or replace the text with > >something like "Listname list run by listname-ow...@example.com". > > I'm a little confused by the OP. Is it: > > 1) A message to the posting address From: listname-ow...@example.com is > not > being moderated? I would expect it to be since that address is not a > member > of the list. > > 2) Emailing To: listname-ow...@example.com directly which would end up > spamming the list owners? > > MM3 doesn't currently moderate messages sent to the list owners, but it > could. Messages to -owners flows through a different, shorter chain of > rules > and pipeline, but I've always thought that that would be configurable. > > -Barry > _______________________________________________ > Mailman-Developers mailing list > Mailman-Developers@python.org > https://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://wiki.list.org/x/AgA3 > Searchable Archives: http://www.mail-archive.com/ > mailman-developers%40python.org/ > Unsubscribe: https://mail.python.org/mailman/options/mailman- > developers/j.knight%40keele.ac.uk > > Security Policy: http://wiki.list.org/x/QIA9 > -- Jonathan Knight IT Services Keele University _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9