By default, Mailman — which is installed by default in Virtualmin as your mailing list manager, exhibits some nasty behavior, being open to sending “backscatter” spam. This means that the Bad Guys send fraudulent messages “from” the email address they actually want to send spam to; Mailman rejects those messages, basically sending a bounce message to the victim.
The mechanism the spammers use is left over from the days before web interfaces. Nowadays, your subscribers interact with Mailman almost exclusively via its HTTP interface. Other than actual postings from subscribed members, and messages to the list owner, there is little or no reason to keep the vestigial email aliases.
To disable the vulnerable aliases:
With Virtualmin, go into the Webmin interface, under Servers; Postfix Mail Server; and click on the Aliases icon. You should see, for example, defined among the email addresses:
yourlist-example.com Program /usr/lib/mailman/mail/mailman post yourlist yourlist-admin-example.com Program /usr/lib/mailman/mail/mailman admin yourlist yourlist-bounces-example.com Program /usr/lib/mailman/mail/mailman bounces yourlist yourlist-confirm-example.com Program /usr/lib/mailman/mail/mailman confirm yourlist yourlist-join-example.com Program /usr/lib/mailman/mail/mailman join yourlist yourlist-leave-example.com Program /usr/lib/mailman/mail/mailman leave yourlist yourlist-owner-example.com Program /usr/lib/mailman/mail/mailman owner yourlist yourlist-request-example.com Program /usr/lib/mailman/mail/mailman request yourlist yourlist-subscribe-example.com Program /usr/lib/mailman/mail/mailman subscribe yourlist yourlist-unsubscribe-example.com Program /usr/lib/mailman/mail/mailman unsubscribe yourlist
for “yourlist@example.com” … I recommend you disable these aliases shown in bold above:
-admin-, -confirm-, -join-, -leave-, -request-, -subscribe-, -unsubscribe-.
You will want to do this for each mailing list on your system.