I think that there's an implicit level of trust that has to be honored in mailing list management. Even SASL-based SMTP authentication from ISPs isn't going to prevent throw-away accounts from being used. Until we can get a fingerprint or cornea scan (or even a driver's license) with each mailing list subscription and compare it against a master database (which I'm not advocating), you can't be 100% sure of the users.
For now I'd say that the best method is a social one; require references when people want to subscribe to your list. Ask them which lists they participate on, an example post from another list, etc. But ultimately it becomes a judgement call by the listowner either way.
I think Chris is right on target here. Judgement and non-automated checks are one good way of reducing the number of spammers.
For one list, I depend on the person telling me something or asking me something about topic. It all I get in a join request, I write back asking them if they really wanted to join the list and "BTW: which version of XXX are you using?" or "What would you like to see improved in XXX?" or "In what ways are you using XXX?" or something like that. Yea, I suppose a spammer could go through the effort to learn about XXX to get on the list ... that would be a lot of special work just to target a small list.
by hand'' is important in order to use Judgement and non-automated checks''. Clearly this does not work
for huge lists or where the list owner is too busy to process each
and every request. An alternative to perform a ``credit check'' first:
*) Is the request from a recently created domain?
*) Did the DNS lookup of the IP address of the sender match the envelope?
*) Did the request come from an area flagged by the RBL, DUL, RSS or
*) Did the request come from a known spam haven or place from which
you had problem before?
None of these checks are perfect, but that is OK. The false negatives
of things like the RSS are not a problem either. Anything that can pass
all of the credit checks gets processed automatically. Anything else you
by hand'' using Judgement and non-automated checks''.
Prevention helps. Avoid placing your list or list-request address on the web (or on Usenet) in text form. Put your instructions / list information as text in the form of a jpg. So far spammers are not scanning jpg images for text and groking them ... I hope!
Do not use a single EMail address for the list. Make use of sub-domains. For example instead of:
Jrandom-text' is different for each and every list member. Here Jrandom-text' is could be random collection of chars
produced by your friendly neighborhood Lavarand server. :-)
Perform automated in-bound checks on EMail going into 'Jrandom-text.XXX.m.foo.org'. Use the 'credit checks' listed above. Look for the EMail being relayed thru the subscription address. Look for procmail-like spam triggers.
If the message passes the sanity check, allow it to go thru the system in an automated fashion. If a flag is raised, process it by hand.
When EMail it sent out to the list, send it out with each message being from XXX-list@Jrandom-text.XXX.m.foo.org style addresses.
All list users know (or care) is that they have / use / receive EMail from a single address. They need not know / or care that the single address is different from person to person.
Another advantage to the ``non-single EMail address for the list'' is that if an address becomes a problem, you can turn it off without impacting the entire list.
Say the user who is assigned 'XXX-list@table.XXX.m.foo.org' gets hit by a virus that spams their address book. Say this virus is able to duck under the ``credit checks''. Say despite all of your efforts the spam goes onto the list. Well you:
*) disable 'XXX-list@atlbe.XXX.m.foo.org'
*) apologize to the XXX-list
Later on if the member cleans up their mess, allow them to re-join by assigning them a new address: 'XXX-list@lztyg.XXX.m.foo.org'.
If people object to Jrandom-text, one can always use a randomly selected word-number combination.
chongo <> /\oo/\
[lotso spam avoidance discussion]
Folks, I am not a Mailman developer, I use it to host the mailing lists for musictogether.com and like it a lot. But I have an idea/question.
Is it possible to put a list into a mode where it is partially moderated and partially unmoderated? Where moderated applies not only to posting but to all other operations as well, such as querying the list members.
If you could, I think this would fix the spammer problem somewhat. Here's how.
Suppose you set up a new list, when people subscribe, they are automatically in the moderated category. They do their first post, the moderater looks at it, it's either obviously OK or not. If it is OK, the moderater OK's it and switches the user from moderated to unmoderated status.
This puts some amount of work onto the list owner, but the amount of work quickly dies down, and in fact, I think it is probably less work than other approaches.
Can mailman do this? If not, could it? Would it be a good idea?
Larry McVoy lm at bitmover.com http://www.bitmover.com/lm