Folks, this is built in to SmartList already. See here:
http://www.hartzler.net/smartlist/SmartList-FAQ.html#Section_8.1
We use it, and it works fine, although it offers no protection against
somebody sniffing your email between you and the SmartList server.
-----Original Message-----
From: Roger Burton West [mailto:roger@firedrake.org]
Sent: Monday, April 29, 2002 10:37 AM
To: smartlist(a)Lists.RWTH-Aachen.DE
Subject: Re: Klez worm forging moderator's address?
On Mon, Apr 29, 2002 at 10:30:39AM -0400, KEVIN ZEMBOWER wrote:
>1.) Is this a possible scenario with SmartList? I can't think of any
>reason why this wouldn't work.
It's entirely possible. Email addresses are trivial to spoof.
>2.) Is there any protection to avoid this? I can't think of any setting
>to make the system reject messages from the moderator which DON'T come
>from a particular mail system. Is there any other way? Moderator must
>approve his own posts?
Or other password-protection; there have been several discussions about
this on the list before. Basically, it's fairly easy to put in a filter
which requires a particular header to appear in a message, and which
strips out that header before the message goes to the list.
Roger
_______________________________________________
Smartlist mailing list
Smartlist(a)lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/smartlist
Thank you, Roger, for your reply and suggestions.
I went back 6 months in the archive, scanning subjects for password or
related terms, but was unsuccessful. I wasn't able to find a search
engine for the archives, either. FAQ 4.11 seems like it might be
related, but would still have to be changed, since the whole "From:"
header was forged successfully.
Unfortunately, we use GroupWise here, which makes it impossible to
change headers, only message bodies. Any solution I implement has to
look into the body for the authorization, not the headers.
I've finally decided to implement this recipe in rc.local.r00, at the
end:
# 29-Apr-2002-EKZ: Added recipe to filter out all submissions to list
# NOT from ccp2.jhuccp.org. Done because of Klez worm forging From:
addresses
:0
* !^Received:.*ccp2\.jhuccp\.org
/dev/null
I think that this will filter out all message that don't have
"ccp2.jhuccp.org" in one of the Received: headers.
Thanks again for your help.
-Kevin Zembower
> Roger Burton West <roger(a)firedrake.org> 04/29/02 10:37AM >>>
On Mon, Apr 29, 2002 at 10:30:39AM -0400, KEVIN ZEMBOWER wrote:
>1.) Is this a possible scenario with SmartList? I can't think of any
>reason why this wouldn't work.
It's entirely possible. Email addresses are trivial to spoof.
>2.) Is there any protection to avoid this? I can't think of any
setting
>to make the system reject messages from the moderator which DON'T
come
>from a particular mail system. Is there any other way? Moderator must
>approve his own posts?
Or other password-protection; there have been several discussions
about
this on the list before. Basically, it's fairly easy to put in a
filter
which requires a particular header to appear in a message, and which
strips out that header before the message goes to the list.
Roger
_______________________________________________
Smartlist mailing list
Smartlist(a)lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/smartlist
OK, occasionally the list address gets spammed. I get the message for
approval, but the message goes to mhonarc and gets archived anyway. How
do I fix this.
--
Baloo
I use a form to allow folks to sign up for my mailing lists. One user is
having trouble using the form and I think it might be a problem with
smartlist. Whenever he sends a subscribe request, the following error is
generated:
X-Diagnostic: Mail coming from a daemon, ignored
The domain of the address generating this problem is "@ib.sc.vu.lt"
Could it be that smartlist doesn't know how to handle such a domain?
Thanks,
irwin
I've been running a few smallish smartlist-based lists for about 7 years now but I have been told my current host may be ceasing operations and I'll need to find a new provider. I would like to continue using my personalized version of smartlist on the new host so I'd like to have login access along with procmail/smartlist support. Does anyone have suggestions for North American providers who can meet those needs?
Rich
--
richard_ball(a)merck.com
(I regret the presence of the legal disclaimer but I have no control over it)
------------------------------------------------------------------------------
Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (Whitehouse Station, New Jersey, USA) that may be confidential, proprietary copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please immediately return this by e-mail and then delete it.
==============================================================================
Well, reject file worked fine for me. Thanks.
Just curious, is there a way to restrict postings from a domain altogether ? What if sender keeps sending junk using different accounts from his domain.
Regards,
Nishi
> -----Original Message-----
> From: Charlie Summers [mailto:charlie@lofcom.com]
> At 1:42 PM -0400 4/22/02, Tim Pierce is rumored to have typed:
>
> > The reject file is unfortunately only applied to subscribe requests;
> > if someone is subscribed to your list, adding their e-mail
> address to
> > the reject file won't prohibit them from posting.
>
> Of course. It is a reasonable assumption to make that if
> this person is
> sending junk, he would have been unsubscribed. Therefore the
> only problem is
> keeping him from coming back.
I had a strange occurrence this morning with one of my mailing
lists. User2 unsubscribed, and the list removed User1, who is another list
member from the same domain. The log file entry is below (names/domains
changed to protect the innocent):
X997 user1(a)domain.com 24689 user2(a)domain.com
Removed: user1(a)domain.com
You have been removed from the list..X
unsubscribe: 997 user1(a)domain.com 24689 user2(a)domain.com by:
user2(a)domain.com Fri Feb 15 09:31:56 EST 2002
Why would this happen?
Thanks in advance,
Irwin
Hi all,
Is there a way to restrict postings from a particular email address ? I have a poster who just would not stop posting junk stuff ?
Regards,
Nishi
In article <v03130313b8ea0172f0a5(a)[192.168.123.10]>,
Charlie Summers <charlie(a)lofcom.com> writes:
> At 1:42 PM -0400 4/22/02, Tim Pierce is rumored to have typed:
>
>> This patch to rc.submit should make SmartList use the reject file to
>> screen list postings.
>
> Again, it seems a lot of unnecessary work, since (at least on every list I
> know about) if someone is consistantly sending unwanted posts, and refuses to
> stop after being asked to do so by the listmaster, that address is summarily
> unsubscribed. (And if you're determined to leave a specific address
> subscribed and ignore postings from them, a simple /dev/null drop in
> rc.local.s00 makes more sense than worrying about scoring from the reject
> file.)
We have found this feature useful for many reasons. Many list
managers want to have something between allowing people to post
whatever they want and unsubscribing them completely. For example,
they may be posting lists of lightbulb jokes and chain letters, or
they may be usually reasonable people who fly off the handle whenever
a particular person or subject comes up, or they may be carrying on a
temporary flamewar with one other person. While it may be reasonable
to unsubscribe the offender, depending on the severity of the offense,
some list managers prefer to leave them on the list but unable to
post.
I do not personally agree that a "simple" addition to rc.local.s00
makes more sense than using the reject file. There are several
reasons, but one of the most compelling was that I found our list
admins were already putting addresses of people they didn't want to
post into the reject file, then reporting it as a bug when their posts
were not rejected. They were showing me pretty clearly what the most
user-friendly implementation of this feature would be.
No one is required to make this change, of course, and I certainly do
not expect Charlie's views to agree with mine. :-) But, since the
subject of rejecting posts from individual subscribers, I am sharing
the solution that we found to work to this problem.
On Mon, 22 Apr 2002, Tim Pierce wrote:
> > rm accept
> > ln dist accept
>
> > Any ideas how the file
> > may have become unlinked in the first place?
>
> The most common cause in my experience is when someone edits the dist
> or accept file with emacs or some other editor that doesn't pay
> attention to hardlinks by default. Emacs's natural behavior is to
> make a backup of the file you're editing by renaming it to filename~,
> then creating a new file in its place. Vi, pico and some other
> editors make backup files by copying rather than renaming, which
> avoids this particular problem.
Then
ln -s dist accept
will avoid such problem better, I think.
Zhiliang
