Martin J. Evans wrote: >I've inherited a 2.1.5 mailman. In the last few days we've been >blacklisted by a number of major sites. On further investigation it >looks like our mailman has been compromised in some way. Emails to the >request address are somehow being used to send spam. There are literally >thousands of them. I've stopped the list for now. Obviously 2.1.5 is way >out of date but I've looked at the changes since then and cannot see >something which looks like this issue although a search for mailman >request exploit brings up a number of entries which are not very >detailed. Does anyone know of an exploit in 2.1.5 which allows spam to >be sent via mailman in 2.1.5?
If I understand correctly what you are saying, spam is being sent to the list-request address with a From: header containing an innocent 3rd party address. The response from Mailman, which contains the original message, is sent to the innocent 3rd party. Current Mailman through 2.1.11 will behave the same. These issues will be addressed in 2.2. In the mean time, the best solution is effective spam filtering ahead of Mailman. Barring that, you can disable the -request and perhaps other support addresses and force everyone to use the web for subscribing, confirming, etc. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
