On 31/08/12 04:15, Daniel Friesen wrote:
This brings up the question.
Why does
wikimedia.org not have a SPF record?
We should be rejecting
wikimedia.org emails that we know do not come
from Wikimedia.
In May, Jeff Green proposed deploying it with "softfail", but it
wasn't ever actually done. Nobody wanted to use a "fail" qualifier,
due to the risk of legitimate mail not being delivered. So even if he
had deployed it, it probably wouldn't have helped in this case.
Mailman's security weaknesses are inherent to the protocol it uses,
there's no way to repair it. The scam email could have been sent with
a "From" header copied from anyone who has posted to the list
recently. In the unlikely event that SPF fail was used for that sender
and the receiver respected it, the scammer could have just picked
again. We should use a web interface for posting to groups, web
interfaces can be password protected without breaking 99% of clients.
I removed board(a)wikimedia.org from the list of email addresses
that are allowed to post to the list without being subscribed.
-- Tim Starling