Preventing mailing list spam

Again and again, I am seeing spam show up on mailing lists I am on. Even on "technical" ones where I expect better. If you run a mailing list using Mailman, there are some simple steps you can take to limit the spam that all your members receive. (They also apply to non-Mailman lists as well of course, but I cannot offer explicit directions for those).

  1. Member posting only. Simply put, do not allow people who are not subscribed to the list to automattically post to it. This is done in the Mailman web interface under the Privacy Options category by setting the "Restrict posting privilege to list members?" question to "Yes." This makes life harder for the list admin, who must now manually approve or reject each non-member post, but it lightens the burden on the users. This is the single most effective thing you can do to reduce spam on a mailing list. Note: members who want to still post with non-subscribed email addresses can always subscribe and set their subscription to "no mail."
  2. Limit message size. These days, the above is not enough, as worms and viruses are capable of spoofing the "From" email address, and sending copies of the worm to mailing lists. Setting a reasonable upper limit on the size of messages will catch most of the worms and leave most of the messages intact. In the Mailman interface, go to the General Options category, and set the size where it asks "Maximum length in Kb of a message body". Setting this to 15 will exclude every worm I've ever seen. I usually keep this around 20, but it depends on the nature of your list (see number three below). The latest worm as I write this is about 29K in size, so I would not set this any higher than 25. Remember that members can still send files larger than this limit to the list, but they will have to wait for manual approval by a list admin. A small price to pay for not sending worms to everyone on the list. It also encourages people to keep their messages small, which is a good thing.
  3. No html email. Probably the hardest pill for some people to swallow. However, it works great in conjunction with the above. Some email clients send messages in two parts: one text only, and one text/html. This is completely unnecessary for email, and is especially bad for mailing lists. Most of the large non-worm messages on the mailing list will be text/html messages. Almost all spam is text/html as well. You can add this restriction in the Mailman interface by going to the Privacy Options category, and adding the string "text/html" to the section entitled "Hold posts with header value matching a specified regexp". I've even configured Mailman to respond to this event by sending back a URL that explains how to configure email clients to send text-only emails. Expect a few complaints if you implement this one, depending on the nature of your list. Most people will be appreciative however, especially if you explain that it is being done in the name of reducing spam and viruses.

That's all. Those three simple steps will keep almost all spam out of your mailing lists. Feedback welcome: greg at turnstep dot com.