On 31/08/12 04:15, Daniel Friesen wrote:
This brings up the question. Why does wikimedia.org not have a SPF record?
We should be rejecting wikimedia.org emails that we know do not come from Wikimedia.
In May, Jeff Green proposed deploying it with "softfail", but it wasn't ever actually done. Nobody wanted to use a "fail" qualifier, due to the risk of legitimate mail not being delivered. So even if he had deployed it, it probably wouldn't have helped in this case.
Mailman's security weaknesses are inherent to the protocol it uses, there's no way to repair it. The scam email could have been sent with a "From" header copied from anyone who has posted to the list recently. In the unlikely event that SPF fail was used for that sender and the receiver respected it, the scammer could have just picked again. We should use a web interface for posting to groups, web interfaces can be password protected without breaking 99% of clients.
I removed board@wikimedia.org from the list of email addresses that are allowed to post to the list without being subscribed.
-- Tim Starling