William Lindley – wlindley.com

By default, Mailman — which is installed by default in Virtualmin as your mailing list manager, exhibits some nasty behavior, being open to sending “backscatter” spam.  This means that the Bad Guys send fraudulent messages “from” the email address they actually want to send spam to; Mailman rejects those messages, basically sending a bounce message to the victim.

The mechanism the spammers use is left over from the days before web interfaces.  Nowadays, your subscribers interact with Mailman almost exclusively via its HTTP interface.  Other than actual postings from subscribed members, and messages to the list owner, there is little or no reason to keep the vestigial email aliases.

To disable the vulnerable aliases:

With Virtualmin, go into the Webmin interface, under Servers; Postfix Mail Server; and click on the Aliases icon. You should see, for example, defined among the email addresses:

yourlist-example.com 	Program /usr/lib/mailman/mail/mailman post yourlist
yourlist-admin-example.com 	Program /usr/lib/mailman/mail/mailman admin yourlist
yourlist-bounces-example.com 	Program /usr/lib/mailman/mail/mailman bounces yourlist
yourlist-confirm-example.com 	Program /usr/lib/mailman/mail/mailman confirm yourlist
yourlist-join-example.com 	Program /usr/lib/mailman/mail/mailman join yourlist
yourlist-leave-example.com 	Program /usr/lib/mailman/mail/mailman leave yourlist
yourlist-owner-example.com 	Program /usr/lib/mailman/mail/mailman owner yourlist
yourlist-request-example.com 	Program /usr/lib/mailman/mail/mailman request yourlist
yourlist-subscribe-example.com 	Program /usr/lib/mailman/mail/mailman subscribe yourlist
yourlist-unsubscribe-example.com	Program /usr/lib/mailman/mail/mailman unsubscribe yourlist

for “yourlist@example.com” … I recommend you disable these aliases shown in bold above:

-admin-, -confirm-, -join-, -leave-, -request-, -subscribe-, -unsubscribe-.

You will want to do this for each mailing list on your system.