The mailing list for listmasters using Sympa

[Matt Taggart <address@concealed>]

Hi sympa-users!

We run a large sympa server that can receive email from the internet. 
Lately we have seen an interesting problem:

* have a list that's configured with "send" to only allow member
    posting, and other messages are rejected (or similar send scenari)
* spammer uses a 3rd party SMTP server to send mail to the list address
    with a forged From address, which is not subscribed to the list
* sympa rejects the message and sends a bounce to the forged address
* the forged address is a spam trap and then our mailserver gets listed
    on an RBL and we get listed and have to argue with the RBL about why
    we sent mail to a spam trap

I don't think the spammer in this case was doing this deliberately, but 
it shows just how easy it would be to cause any mailing list server to 
be listed by forging a few mails.

Do people have strategies for preventing this problem? Here's what we're 
doing already:

* doing various high-level blocking in postfix of RBLs/bad clients/etc
   to weed out the worst junk
* running spamassassin via a postfix milter to block spam/viruses
   /phishes. This has to be fairly conservative because false positives
   are discarded (as opposed to just going to a Spam folder or
   something)
* spamassassin also has rules for SPF/DKIM/DMARC failures. Note in the
   case mentioned above, the From address domain did NOT have
   SPF/DKIM/DMARC records so this didn't help. (I would argue RBLs
   employing spam traps should be using SPF/DKIM/DMARC to avoid this
   sort of legitimate auto-response situation...)

Those are all aimed at blocking junk before it gets to sympa, which 
would help with spam/viruses/phishing, but wouldn't help with things 
that could get past that (like a deliberate attack to get a server listed).

The only other things I've thought about are stopping reject mails from 
going out:

* stop using scenari that send rejects, instead silently fail. This
  seems bad from a human usability standpoint, but maybe that's what
  things have come to in 2020
* restrict rejects to only domains that have particular SPF/DKIM/DMARC
  policies so we know that the mail we received is legit before we
  reject. Similar to how DMARC munging had to be implemented
* if there was any way we could reject at SMTP time then the server
  sending the forgery would be getting the reject rather than the
  server of the forged domain getting it after queuing and sympa
  processing. I think this require some sort of sympa milter?

Any other ideas?
Have others with sites that can receive public mail seen this (yet)?

Thanks,

--
Matt Taggart
address@concealed