The mailing list for listmasters using Sympa

["Mark F. Heiman" <address@concealed>]

I wanted to share an incident we just had with spammers, just in case  
others may run into this same situation.

It only applies if your Sympa install enables shared documents, allows  
anyone to register, and any registered user can request a new list.   
We're running 5.4, but I don't think version 6 changes anything here.

Here's what happens:

-- The spammer registers on your site and requests a new list.
-- At this point, even before the list is approved or rejected, the  
shared document repository is available. The spammer uses the  
repository to create a little web site of ads for their product, and  
makes it public.
-- The spammer then sends out their spam by some other mechanism,  
directing people to the pages on your Sympa site.
-- Rejecting the list request DOES NOT close the repository.  If you  
just reject the list, but don't purge it from the system, the spammer  
will keep right on using it.

Obviously, there are a number of different ways to prevent this; we  
just changed the scenario on create_list to intranet.  But everyone  
should be aware that spammers are looking for Sympa sites that allow  
this behavior.  If you start getting random list requests from  
strangers, don't just reject them and forget about it.

It probably makes sense to add some restrictions in the code, so that  
shared documents are only served if a list is open.


Mark F. Heiman
Senior Web Application Developer
Carleton College
address@concealed
507 222 4278