We recently had an issue with spam coming to a mailing list that only our application should be sending to. We use Mailman to manage our mailing list and have our own mail server. The mailing list is set up to only allow emails from two email addresses: one an administrative address we use for manual announcements we need to make, the other the name of the email list itself which we use for the automated emails.
The spammers started sending requests into our mail server with one of our allowed email addresses. I looked in the Mailman interface to see if there was some option that would block these spam attempts and didn't see anything that would apply. We were already restricting who could send to the lists and had all other addresses either blocked or moderated. Two obvious solutions were for IT to configure our spam filtering software to block these spam attempts or configure the mail server to not allow emails with our FROM address that originate outside the firewall. For various reasons, our IT group said they could not do either.
The solution we found was to add an "Approved: [password]" header as the first line in the body of the email (followed by one blank line). Mailman will treat this line as an email header and make sure the password matches the administrative password set in the Mailman UI (this is different than the moderator's email address).
Here's the article article we found at python.org describing the solution. The only piece missing was which password to set in the UI.
The password we use is essentially a shared secret, which isn't the most secure thing, so we've externalized it's value into a property file. This allows our Operations team to change the password if it gets compromised without involving development.
One last note, if you previously configured Mailman to allow (unmoderated) emails from your FROM address, you will want to to remove that (in Mailman's Privacy Options -> Sender Filters) or all emails will still be allowed, even if you have no password or an incorrect password.
About Me
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment