Some clever spambot seems to have scraped a bunch of addresses out of the
archives and is sending spam with multiple addresses on the From: line through
IETF and IRTF mailing lists. Surely I'm not the only one who's seeing it.
DKIM is directly designed to address this... What do we need to do to put it in
play?
Probably more than you want to try to do in a hurry.
It seems to me there are two separate problems. One is that a bad guy is
sending spam with fake IETF and IRTF return addresses, something that DKIM
can mitigate. The other is that the mailing list software is getting
confused by multiple From line addresses, which is probably buggy code
that wasn't written to handle them.
For the former, first you adjust the IETF's mail servers to put DKIM
signatures on all the outgoing mail. Once that works, you adjust the
incoming spam filters so that mail that purports to be from the IETF or
IRTF and doesn't have a signature is treated as spam. (Spamassassin can
easily be tuned to do that.) You don't want to do that in a hurry,
because there always turn out to be considerably more outgoing mail paths
than you thought, and finding and securing them all is tedious.
It's not immediately apparent to me why Mailman is letting that mail
through, since the addresses on the From: line aren't all subscribed to
the various lists. As a band-aid, it's straightforward to add a Mailman
spam filter like
from: .*<.*>.*,
which will catch any multiple from lines and either hold or discard them.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for
Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf