On Wed, Feb 20, 2002 at 10:15:33AM -0800, Chuq Von Rospach wrote:
On 2/20/02 9:31 AM, "Jay R. Ashworth" email@example.com wrote:
But I still think it's important to keep firmly uppermost in our minds here that the spam is not *caused* by the mailing list.
Nor is it caused by Google
It's *caused* by the spammers.
And burglary is not caused by my owning nice things, either. It's caused by burglars. But that's no excuse to not put locks on the doors.
A mailing list -- a publically accessible mailing list -- isn't your house. It's the city library. Those are typically not locked up as tightly your house, during the day.
I realize that we have practical considerations to deal with which are much closer to our feet, but I think that it's quite important that we don't lose sight of the forest for the trees.
See, here's our disagreement here. You're saying "put the damn burglars in jail already!" and I'm saying "I agree, but until that's done, I still think I'm installing that deadbolt on the front door".
You're right, Jay, but does being right matter? Unless you know how to stop the spammers, it's a pyhrric victory -- because it does nothing to protect yourself from the spammers.
*I* protect *myself* from the spammers, actually, thank you very much.
Perhaps that sounds elitist. So be it.
Even with a good deadbolt, burglaries still happen. Is that an excuse not to put the deadbolt on in the first place? No.
Well, again: would you deadbolt the public library?
I personally can't think of any method of programmatically obscuring email addresses that can't be programmatically reversed.
Have you seen what slashdot is doing? I think it has promise, because while it's still reversible programmatically, it makes it much more difficult to do. Will they still get harvested? Most likely. But not nearly as quickly as most other sites, and it's going to make the spambots crazy trying to eat each page looking to figure out if it knows which obfuscation to de-obfuscate.
Actually, no, I haven't bothered with /. in some time... I'll take a look.
[ looks ]
Hmmm... there are a couple of ways that you *don't* want to despam an adress; hope they didn't hit any of them.
But I've been thinking about this, and I want to throw a couple of ideas out. I'm speaking just of the admin-access issue, not archives.
Admin-access has three components to it, all in conflict.
The list admin needs to be accessible to everyone, not just subscribers.
the list admin shouldn't be an open target to spam.
Someone has to be accessible for problem reports even if the Mailman
system is malfunctioning.
That third point is a bit of a shift. I've come to the thought (and we can argue it) that LIST admins don't need to be accessible if MAILMAN fails. The MAILMAN admin does. And I think the chances are good that the MAILMAN admin is more likely than not also the person who gets abuse@, root@, postmaster@, so the SITE admin mailbox is already wide open to all these idiots. Making it wide open to mailman spam simply isn't significant.
I don't need to argue it; I concur: if the server falls over, the server admin is the target. And yeah, they should be wearing armor already.
That, basically, allows us to stuff mailtos somewhere pointing to an address you can mail to to report site failures. I'll even go farther and say that address can simply be on a web page, not linked to a Mailto, and if you really, reallly want, obscure it further as a JPG or something. But I think that's all overkill, given that spammers now automatically spam root/postmaster/etc on domains anyway.
That takes care of the "access in case of failure" mode, mostly by, frankly, simply annointing ONE person (the site admin) as "it" for open access. Not great, but it's sure better than making all admins deal with it.
No problem there.
That then allows us to deal with (1) and (2). Which means we can now put admin access behind some kind of web interface. And - we already have 80% of that, in the current admin interface.
So I recommend this:
You no longer advertise admin's real addresses. Instead, you advertise a feedback that sends messages to the admin, to discourage mailing directly. A year ago, I probably would have insisted on SOME kind of email contact point, but frankly -- the percentage of users who can't use a web page is pretty much zero now.
This is, alas, a different topic.
When I send a complaint to someone about something, *I want a copy of that message in my outbox*. I *hate* mail forms. With an unbridled, flaming passion. They usually don't spell check; they don't get my sig file, etc, etc, ad nauseum.
I can at least tolerate it, if you'll carbon me a copy, but it's still suboptimal.
And since 2.1 has better filtering capabilities, we get those filtering capabilities for free on incoming admin email. And this stuff isn't thrown in an admin's mailbox -- it's dealt with as part of the normal admin list functions, reducing the interruption/hassle factor. And the admin addresses won't end up in spammer databases, because they no longer exist.
Now *that* part, I like.
Thoughts? It's not perfect, but now only one guy is "it", and the admins are accessible but protected -- and can better separate their list-admin "me" from their real "me" on top of it. And the site admin is more likely IMHO to be capable of managing their mailbox from spam than forcing all list admins to learn how to do that...
Personally, I'm a little tired of "But I'm too lazy" (to learn how to set up spam filters) being an acceptable excuse. If you can't find someone to run your list with a clue, then maybe you shouldn't have a list.
But that's why *I'm* not the Mailman product line manager. :-)
Jay R. Ashworth firstname.lastname@example.org Member of the Technical Staff Baylink RFC 2100 The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274
"If you don't have a dream; how're you gonna have a dream come true?" -- Captain Sensible, The Damned (from South Pacific's "Happy Talk")