Skip to Content.
Sympa Menu

en - [sympa-users] Strategies for public listening servers

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Matt Taggart <address@concealed>
  • To: "address@concealed" <address@concealed>
  • Subject: [sympa-users] Strategies for public listening servers
  • Date: Tue, 28 Apr 2020 15:49:43 -0700

Hi sympa-users!

We run a large sympa server that can receive email from the internet. Lately we have seen an interesting problem:

* have a list that's configured with "send" to only allow member
posting, and other messages are rejected (or similar send scenari)
* spammer uses a 3rd party SMTP server to send mail to the list address
with a forged From address, which is not subscribed to the list
* sympa rejects the message and sends a bounce to the forged address
* the forged address is a spam trap and then our mailserver gets listed
on an RBL and we get listed and have to argue with the RBL about why
we sent mail to a spam trap

I don't think the spammer in this case was doing this deliberately, but it shows just how easy it would be to cause any mailing list server to be listed by forging a few mails.

Do people have strategies for preventing this problem? Here's what we're doing already:

* doing various high-level blocking in postfix of RBLs/bad clients/etc
to weed out the worst junk
* running spamassassin via a postfix milter to block spam/viruses
/phishes. This has to be fairly conservative because false positives
are discarded (as opposed to just going to a Spam folder or
something)
* spamassassin also has rules for SPF/DKIM/DMARC failures. Note in the
case mentioned above, the From address domain did NOT have
SPF/DKIM/DMARC records so this didn't help. (I would argue RBLs
employing spam traps should be using SPF/DKIM/DMARC to avoid this
sort of legitimate auto-response situation...)

Those are all aimed at blocking junk before it gets to sympa, which would help with spam/viruses/phishing, but wouldn't help with things that could get past that (like a deliberate attack to get a server listed).

The only other things I've thought about are stopping reject mails from going out:

* stop using scenari that send rejects, instead silently fail. This
seems bad from a human usability standpoint, but maybe that's what
things have come to in 2020
* restrict rejects to only domains that have particular SPF/DKIM/DMARC
policies so we know that the mail we received is legit before we
reject. Similar to how DMARC munging had to be implemented
* if there was any way we could reject at SMTP time then the server
sending the forgery would be getting the reject rather than the
server of the forged domain getting it after queuing and sympa
processing. I think this require some sort of sympa milter?

Any other ideas?
Have others with sites that can receive public mail seen this (yet)?

Thanks,

--
Matt Taggart
address@concealed



Archive powered by MHonArc 2.6.19+.

Top of Page