Tech Tip (LISTSERV) – Issue 3 – 2007
Q: What are some of the list configuration techniques that I can use to protect my lists from spam?
Answer by Ben Parker
Chief Corporate Consultant, L-Soft
List owners of all mailing lists have run into the problem of spam at one time or another. This tech tip will discuss different issues related to spam and mailing lists from the perspective of the list owner, including some list configuration techniques that can be used to prevent spam from being distributed to your mailing list.
How Does Spam Get to You, the List Owner, or to Your List?
The first and most obvious answer is that the email address of your list (the List-Address) is generally public knowledge and cannot be concealed. Your list may be listed in CataList. Your list message archives may be open to the public. And your List-Address may have been harvested directly from the email messages or address books on virus-infected computers of your subscribers.
Secondly, you, as list owner, may see in your own mailbox much more list-related spam than actually goes to your list. Remember that every LISTSERV list has a generic address that routes to the non-quiet list owners: email@example.com. This address pattern is well known to spammers, so it is an easy additional spam target since they may already know your List-Address as noted above.
A third popular and easily predictable address is firstname.lastname@example.org. Normally, in LISTSERV operations, this address is used only for non-delivery error processing or bounces. But recently we at L-Soft have noticed an increase of spam being sent to this address. Since the message format of the spam is nothing like a standard non-delivery report, LISTSERV typically forwards the non-conforming message to you for human intervention.
Keeping Spam Messages Off Your Mailing List
LISTSERV has built-in spam detectors that are generally fairly effective at identifying actual spam and discarding it or routing it to the list owner. Unfortunately, as spammers get more intelligent they may sometimes evade these detectors, or they may simply get lucky. As a result, it may be desirable to take additional steps to keep the spammers out.
Unfortunately, many of these steps have a side-effect of causing more work for you or of making things less convenient for your subscribers. Greater security, unfortunately, usually means some reduction in convenience. It is up to you to determine whether the trade-off in each case makes it worthwhile to take the indicated action. We will attempt to summarize the advantages and disadvantages of each option in what follows.
All of the options that are discussed below would be modifications or additions to your list configuration (aka list header) settings. For additional information on any of these configuration options, see Appendix B of the List Owner's Manual or the online help wizards in the LISTSERV Web interface.
This setting prevents your mailing list from appearing in CataList. Also, your list will no longer appear in the output of the "LISTS" command (unless that command is issued by a list owner of the list or by the site administrator).
This option makes it more difficult for spammers to find the List-Address. Of course it also makes it more difficult for legitimate subscribers to find your list.
With Send= Private, the From: address in the incoming email must be subscribed to the list to be allowed to post messages to the list. If it is not subscribed, the message will be rejected. (Exception: list owners may post messages to their lists even if not subscribed with the From: address used, as long as that address is listed as Owner=.) This setting is recommended for all discussion-style lists.
|3) Subscription= Open, Confirm|
With this setting (combined with Send= Private), spammers would have to send a subscription request and confirm that subscription request before they could attempt to send spam to your mailing list. This is not something that can be automated easily so most spammers will not take the trouble. (However, we have seen some automated scripts that can successfully subscribe to a Subscription= Open,Confirm mailing list.)
The 'Confirm' part has two important advantages. First, it verifies that the subscriber's email address is correct. Second, it prevents people from getting subscribed to your mailing list against their will. There have been cases of individuals who have been maliciously subscribed to a large number of mailing lists without their consent. Requiring confirmation of subscriptions (aka "confirmed opt-in" or "double opt-in") is a strongly recommended practice for all mailing lists.
One disadvantage is that people who may subscribe and receive their mail at one address but prefer to send mail to the list using another address will have trouble posting. (You can add them under the second address and SET them to NOMAIL.)
Another problem is that some people may have difficulty figuring out how to confirm their subscriptions, or may object to the increased complexity of the subscription process.
If you need greater control of subscribers to your list, such as making sure subscribers are dues-paid members of an organization or similar, then use:
|Subscription= By_Owner, Confirm|
This causes all subscription request to be forwarded to the list owner, who can then consult a membership list or otherwise check the subscriber's status before adding them to the list. The 'Confirm' causes the same OK/Confirmation check as above, which validates the subscriber's correct address and desire to join the list.
|4) Default-Options= REVIEW|
With this setting, when someone subscribes to your mailing list they are immediately set to REVIEW, which means that any message they send to the mailing list will first be sent to the list editor/moderator for approval. After you have determined that they are useful contributors to your mailing list, you can SET their subscription to NOREVIEW and allow them to post freely without your interference.
This is a good safeguard against someone subscribing to your mailing list and sending a bunch of inappropriate messages (whether or not they are spam). Obviously it entails some amount of additional work on your part, and some new subscribers may object to their messages being moderated in this fashion. If you use this option, you should change the welcome message that gets sent to new subscribers so that it includes an explanation of this policy and the reasons for it.
|5) Send= Editor, Hold, Confirm|
This setting makes your mailing list fully moderated, meaning all messages go to the list editor/moderator for approval. This gives you total control over what goes out to your subscribers. However, this option also requires a lot of work, particularly if your mailing list is very active. Additionally, some subscribers may again object to their messages being moderated. As with the previous option, you should change your welcome message to explain the policy and the reasons for it.
However, the biggest problem with this setting is that it allows non-subscribers from anywhere in the world (including spammers) to send messages to your List-Address. The result is that a lot of spam messages will go to the list editors/moderators, possibly flooding their mailboxes. If you really want to run a fully moderated discussion list but want to filter out most of the spam and junk messages, use this setting:
|Send= Editor, Hold, Confirm, Non-Member|
With this setting, a subscriber's messages will go to the list editor/moderator for approval as before, but messages from non-subscribers cause LISTSERV to first send back to the sender of the message an OK/Confirmation request asking them to confirm that they did in fact send that message to the list. Only if a confirmation is received will the message then go to the list editor/moderator. Since much spam is sent with fictitious From: addresses, the message will not be confirmed and will not go to the list editor/moderator. Even if the From: address is real (perhaps having been harvested from somewhere) that person will know they did not send the message and will not confirm it.
List owners of one-way, announcement-only lists should use a different setting that explicitly lists only the addresses permitted to send messages to the list. Any mail with other From: addresses will be rejected by LISTSERV.
|Send= email@example.com, firstname.lastname@example.org, confirm|
Keeping Spammers from Mining Your Mailing List for Addresses
Spammers have been known to use various strategies to capture some or all of the addresses of subscribers to a mailing list. For instance, they may subscribe to a mailing list, send a "REVIEW listname" command to get the list of subscribers, then unsubscribe.
Here are a few things that can increase mailing list security. As usual, there is a trade-off involved. Security can only be increased at some cost of convenience. As before, we will attempt to summarize the up and downsides of each option that follows.
This prevents your mailing list from appearing in CataList or in the results of the "LISTS" command. If spammers can't easily find your list name, they can't send to it. Of course, this also makes it harder for potential subscribers to find your list and subscribe to it.
The REVIEW command returns the list of subscriber to a list. The above setting prevents anyone but the list owner from getting a list of the subscribers to your mailing list. We would recommend this setting for most mailing lists. The disadvantage to this setting is that if someone has a legitimate reason to obtain a list of the mailing list's subscribers, they may have difficulty doing so. If so, they would have to write to the list owner for assistance. A less secure alternative, useful for small discussion lists in a business or workgroup context is:
This setting allows a current subscriber to get the list of subscribers.
|3) Notebook= Yes,....,Private|
This allows the list's message archives to be viewed only by subscribers. Remember, the email addresses of people who post to the mailing list are available in the list's archives. This setting also protects the www-accessible messages archives from "web crawlers" since they cannot authenticate themselves to LISTSERV. The disadvantage here is that subscribers will need to register their own personal password with LISTSERV and log in via the Web interface. Some subscribers may find this password process difficult.
|4) Subscription= By_Owner, Confirm|
As noted above, this setting sends all subscription requests to the list owner for verification. Suspicious requests can be investigated by the owner. Remember, anyone subscribed to your list and receiving list messages can obtain the addresses of other subscribers, at least those who post messages regularly. List owners need not be paranoid, but a little caution may be advisable, depending on the nature of what is discussed on your list, who the audience is, and what the list environment is (public vs private.)
Regarding spam sent to the generic list owner address: email@example.com, LISTSERV now automatically sends an OK/Confirmation request back to the sender of the message asking them to confirm that they really did send the message. Only if they confirm will the message then be forwarded to the owner. This greatly reduces spam going to the list owner. However, some people may either be offended by this, or may find the confirmation process difficult, so some messages may not get to the list owner.
Regarding spam sent to the firstname.lastname@example.org address, which is then forwarded to the list owner as an unknown error bounce report message, there is not much that can be done. One of the primary features of LISTSERV is to automatically manage bad addresses. The only suggestion is to set:
|Auto-Delete= Yes, Full-Auto, ...|
Fewer of the unknown messages will now be sent to you. LISTSERV will simply discard most of them, but a few will still get to you.
It may make sense to put some sort of disclaimer in your list's welcome message spelling out what is inappropriate use of your mailing list. (If you wish to include a disclaimer or licensing agreement that you wish to have legal force, it is recommend that you consult a lawyer before doing so.) This information may also be put in a top or bottom banner on all list messages although subscribers may find that repetition annoying.
The LSTOWN-L mailing list is a discussion mailing list for list owners of LISTSERV-based mailing lists. It is a good resource for all kinds of information, including the issues discussed above. If you wish to subscribe to LSTOWN-L, send a message to email@example.com. The list message archives (going back to 1992) are also an excellent resource, since many list owners have asked similar questions before: peach.ease.lsoft.com/scripts/wa.exe?A0=LSTOWN-L.