[sf-lug] The problem I experienced recently XFwd: Fwd: Your confirmation is required to leave the test mailing list

[Rick Moen]

Quoting Todd Hawley (celticdm at gmail.com):

> And at this point, SMTP headers are all likely forged (at least most of
> them), so it would seem to me anyway trying to analyse them is a waste
> of time (although reading them can be hilarious in terms of the silly
> names in the forged headers :p).

No, _not_ true.  A spammer can programmatically insert fake headers
(such as the critical Received headers), but the last-hop Received
header will necessarily be there as an artefact of distribution.  A
person experienced in SMTP header analysis, such as is yr. humble
servant, who was for a very long time one of the regulars on
net.admin.net-abuse.email, can thus efficiently determine where the main
was (what IP) by finding the last-hop information prior to the
recipient's MTA.

This is all cut and dried, Todd.  It's just not possible to hide where
the mail got its last-hop delivery from.  That is actually the
fundamental basis of almost all the anti-spamhaus measures the good guys
have added to mail-handling over the last quarter-century.

> Hmm I could be mistaken but I thought most CGI forms were "spam magnets" and
> if you had any on your web site you should get rid of them.

So, you would like me to eliminate Mailman's ability to sign up to (and
unsubscribe from) mailing lists from the Web site?  Gee, I could.  And
then I can eliminate the ability to do so from the e-mail command
interface, too, since it's equally easly to generate this sort of
specialised backscatter from that command interface, too.

Which would of course neatly eliminate the ability to be on the mailing
lists at all.

That is your suggestion, right?

No, Todd, Mailman is not a spam reflector, not here, and not anywhere
else.  It just has a means to ask the mailing list manager software to
carry out actions with your subscriptions, e.g, unsubscribe, change your
subscription password, toggle between plaintext and digest mode, toggle
"vacation" mode, etc.  Every request allegedly submitted by a subscriber
gets verified by e-mailing a confirmation request to the affected
subscriber.  The confirmation requests are real, not spam, but can be
generated by malicious automated processes.

> Anyway, thanks for the explanations.

You're welcome, I _think_?  Except your phrase "spam magnets", and the
weird suggestion that I shoot Mailman's Web command interface in the
head, suggest to me that you didn't quite follow either of the two
antecedent explanations.

This is now the third explanation.

If you or any other subscriber doesn't like the way mailing lists work,
you're welcome to just not be here, if you prefer.  Do you need help
with leaving?