Kyriakos Terzopoulos writes:
Here is what I'm getting from spam evaluation:
*0.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence*
This spam checker is probably misconfigured, unless users are actually being targeted with backscatter from list confirmation notices. It should recognize the last instance of '-' or '+' as dividing the "true" mailbox from a user-specified tag. This is a common method for implementing a secure identification of the source of an address.
In this case, it allows Mailman to identify which subscription request is being confirmed, and proves that the confirmation request was sent by Mailman itself.
My guess is that the From address is very large, for example:
mylist-confirm+3eafa5bd24e52738c900e2e3fd05e366b7ea7580@myproject.eu
Is there any way to mitigate this problem?
Not really. It is not perfect, but this is by far the most effective way to prevent people from maliciously signing others up to mailing lists, unless you have an alternative source of verified email addresses (such as the organization's LDAP member database).
Steve