3.34. How do I spoof-proof my one-way (announcements or newsletter) list?
If you've had problems with virus-generated messages with spoofed senders getting through to a one-way list (we have), you can completely spoof-proof your list by requiring Web-based approval of every message even if it is sent by the list's moderator (the author, in case of a one-way newsletter).
Under Privacy Options, Recipient Filters, set max_num_recipients to 1. This will cause every message posted by the moderator to require approval via the Web (Reason: too many recipients)
You must also set require_explicit_destination is set to "yes" to preclude allowing a post with zero recipients (i.e. list in Bcc:).
Q: One? Don't you mean zero?
No. Its definition is "If a posting has this number, or more, of recipients, it is held for admin approval. Use 0 for no ceiling."
As noted in article 3.11 (see How do I create a newsletter, announcement, or one-way list?), the secure way to do this is to set everyone's moderation bit on and set the default for new subscribers to moderated and post using an Approved: header. This way, no one can post directly to the list without a header of the form
in either the headers or the first body line of the message. The header is of course removed before the post is delivered to the list.
In the above, <password> is the list's admin, moderator, or (in 2.1.15 and up) poster password.
The Approved: header would also work to pre-approve posts if all messages are held via set max_num_recipients = 1, but moderation of members offers more options than just holding posts.
Converted from the Mailman FAQ Wizard
This is one of many Frequently Asked Questions.