[SGVLUG] Mailman, SPAM Traps, and UCEProtect

Mike Rubel mrubel at galcit.caltech.edu
Thu Apr 16 10:21:30 PDT 2009


This is a fundamental flaw in SMTP: anyone can claim to be anyone.

> I can't do an SPF record check or reverse DNS verification on them.

What about only sending automated error replies when the incoming message
passes SPF?  This might inconvenience a few users--specifically, those who
are not subscribed and whose SMTP providers aren't using SPF--since their
messages will simply be ignored rather than courtesy-bounced.  But it will
not inconvenience subscribed members (since their messages would not have
generated an automated reply anyway), and it would seem to prevent this
particular kind of abuse.

Another potential problem is spammers simply subscribing the spam trap
address to your lists.  I can't think of a workaround there, as there's no
way to differentiate legitimate sign-up attempts from illegitimate ones,
short of only allowing SPF-protected addresses to subscribe to your list.

-Mike



More information about the SGVLUG mailing list