I'm passing this along mostly as a FYI, but also as a sanity check. I sent this out to list-managers tonight, to bring up an issue that sort of crystalized this afternoon and made me realize that I think we have the beginnings of a problem in mail list land. Your thoughts are welcome....If I'm right, well, oh, boy. If I'm wrong -- I'd love to find out my idea won't work, but I think it's not only possible, but fairly easy.
Hi Chuq,
Yes, this has definitely been troublesome. I've blocked many commercial sites like findmail.com (egroups) and remarq.com from my lists because of their secret archiving that displays email addresses to the public, but at least they don't spam the lists back. But of course anyone can browse these sites and get addresses to their heart's content, then forge MAIL FROM: to sneak mail into the lists.
I'm not sure what the right thing is to do. MLMs like sympa (
http://listes.cru.fr/sympa/) are definitely moving in the right direction with S/MIME signatures/encryption and X509 user certs, but that still doesn't stop someone from using throwaway certs to spam several lists or from harvesting addresses. The problem is that when these methods are used for authentication they just prove that the email address sending the stuff is who we think he or she is. But at least you can't forge the source email address to look like it's coming from a list member who is allowed to post (well, it's harder :)
I think that there's an implicit level of trust that has to be honored in mailing list management. Even SASL-based SMTP authentication from ISPs isn't going to prevent throw-away accounts from being used. Until we can get a fingerprint or cornea scan (or even a driver's license) with each mailing list subscription and compare it against a master database (which I'm not advocating), you can't be 100% sure of the users.
For now I'd say that the best method is a social one; require references when people want to subscribe to your list. Ask them which lists they participate on, an example post from another list, etc. But ultimately it becomes a judgement call by the listowner either way.
Just my humble opinion on the matter...
Chris
Christopher Lindsey, Senior System Engineer National Center for Supercomputing Applications (NCSA)