On 2/18/02 12:59 PM, "Daniel J. Cody" djc@members.evolt.org wrote:
Speaking of tradeoffs, it's my opinion that hiding archives behind a password protection scheme for fear that the administrator, who probably deals with oodles of email anyways and is probably the *most* experienced person in regards to email filtering etc, is a poor one.
whew.
The archives for a list I run happen to get around 100K referers from google a month, and again IMO, blocking those people out just because I'm getting 5 spams a month doesn't seem like the best idea.
You misread the intent here, probably because I was unclear.
You protect the archives because otherwise, your subscribers will be harvested. If your archives are in google, you're handing all of your subscribers to the spammers. You might as well burn them a CD.
To me, that's not remotely an option. If your archives are google-searchable, you're being harvested, and your users, if they ever figure it out, will thank you. Probably with a pitchfork.
Users of a mail list have a right to be protected from spam caused by your mail list. If you don't protect the archives from harvesting, frankly, you might as well stop rejecting spam sent directly to the list as well. And you know how well your users would take THAT decision.
We can argue the philosophy of archives in search engines -- but I consider stuffing email addresses in search engines to be a fatal error. You'll never convince me that's okay. And I've never convinced myself that castrating email out of an archive and then publishing the archive is worth the work and hassle. Your mileage on that latter probably varies.
Protecting admin addresses from spam is a second, separate issue. An admin has a responsibilty to be accessible to the outside public to answer questions and deal with problems. And because, if the pages DO break, one would hope the admin would like to know that so it can be fixed.
So you can't hide an admin -- but I think you also have a responsibility to protect that admin as much as you can, because it's already enough fun for the admin to run a list that adding "oh, yeah. Eat all this spam" on top doesn't seem to add many gold stars to the job description. So you have to look for ways to not make it easy for spammers, while not making it hard for real users.
Thanks. I'll go take a look. I'm always looking for better mousetraps.
But I'm curious whether your setup would catch and protect users from this: Last Friday, I got an emergency call from my assistant (I was at home, watching curling on CBC. Um, well, I was working from home). Our Mailman box at work was thrashed and shutting down.
I logged in and looked, and found that the web site was being whacked -- a robot of some sort was pulling down 40 pages in parallel, all at once. Definitely not a well-behaved beast.
When I went looking in the logs to see whether it was a system problem, an attack, or merely some clueless idiot interrupting my day, I found that while it was clearly an automated spider of some sort doing the page grabs, its user-agent promoted itself as a nice, generic IE on Microsoft Windows user. In other words, if you are assuming the harvesters aren't obfuscating the user-agent, I found out the hard way last week that's not true.
I'm still waiting to see if that guy comes back. I'm curious. And, now, watching...
I haven't seen a bot-catcher that I think reliably stops a bot that is actively trying to hide from me. Which means the GOOD spammers are going to fall under the radar, and you get this false sense of security, because of all of the stuff you Are stopping... Until I do find one, I'll use a password and some kind of authentication, and work my butt off to not let the data get out of my hands if there are email addresses in it (I just modified my T&C to explicitly deny people setting up public, third party archives without our approval of the archive, specifically so we have teeth to force them to protect their archives at least as much as we protect ours. It makes no sense putting a second deadbolt on the front door if you never lock the back. Letting your archives into google, IMHO, is putting the silver on the front porch so they can take it easier...
As an aside, how many that run 'larger' lists get a lot of spam? Using the same email address for list-admin going on 3 years now, I can probably count on my fingers and toes how many spams I've gotten to that address.
Oh, gee. You can have some of mine. You don't want to know. On my home/small server, a couple of the mail lists average 10-15 pieces a day, to it and to the admin. Right now, it's gone from making it bigger and increasing the volume to making it taste sweet.. Sigh.