On Mon, May 14, 2001 at 08:32:17PM -0700, Chuq Von Rospach wrote:
Looking at it now, it's surprising that this hasn't happened sooner: SF's mailman was abused with someone creating a bogus project with a mailing list which was then used to subscribe about 10,000 people and then spam them into oblivion.
It was going to happen sooner or later if you have people allowed to create stuff without adult supervision.
Turns out that it actually was a misguided user with a real project who apparently thought a lot of people should know about it. The problem remains though.
BTW, there is adult supervision, SF does check and approve projects one per one, but there isn't much you can do about people who lie and set up a phony project that looks real.
- Have a config.db entry: allow web subscribes, that can only be changed by the mailman owner (i.e. master password, not list password)
This is one of the basic realities -- either disabling or limiting the size of web imports until someone has been 'cleared' as a trusted admin. That would mean some form of vetting procedurel, which means a human body in place to make sure things are legit. Until that happens, web-loads are limited to small values (because, honestly, you don't want to bother with small groups -- at worst, the damage is minimal, and most likely, someone loading in 100 addresses isn't spamming, the larger the number, the less likely it's legit).
Agreed.
Note that it introduces the concept of an uber user who gets those admin check Emails and other things to confirm instead of the list admin.
My idea is that permission is done on a per-admin basis. Once you've vetted a guy on one list, you don't want to have to manually re-vet them on their next list, and the next, and...
That could work for some, but doesn't help that much with a determined spammer who lies to get this access and then does the bad deed. That said, it'd still be a lot better than what we have now.
I guess the best would be to have a config option that says what the max number of people who can be added through the web is (0 being a possibility)
Having oversized adds go to a site admin for confirmation instead of just failing would be an added bonus.
Marc
Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key