[PLUG] We need to block non-member posts

Aj Lavin aj at haightmail.org
Mon Jun 10 22:21:37 UTC 2002


On Mon, Jun 10, 2002 at 10:37:20AM -0700, Dan Haskell wrote:
> 
> The Usenet gateway needs to be shut off until it can be done without
> opening us up to abuse from the whole world.

I do not believe that it is even necessary to open up the mailing list
to non-member posts in order to enable members to post through the
newsgroup. The current Mailman setting is basically a mis-
configuration, AFAICT.

A Mailman list can be configured to receive posts from members only
and to verify members by checking the From: header. Both SMTP and NNTP
have a From: header, so using this policy, Mailman should use the NNTP
From: header to verify members who post through the news group. So if
you post to the newsgroup using a From: field that is a member's email
address, then the post will be sent to the mailing list as well.

This policy would have prevented the recent SPAM while allowing list
members to post through the news gateway.

A tighter policy would use the unixfrom envelope instead of the From
header for authorization. It looks like for Usenet posts, the Mailman
gate_news script sets the unixfrom header to the list administrator's
email address. As long as the list administrator can post to the list,
then all Usenet posts would be sent to the mailing list using this
policy. However, this policy might cause grief for people who
regularly post from different computers.

- Aj




More information about the PLUG mailing list