Non-member post confirmation
Hi!
Lately I've been getting a lot of spam to many of the lists that I administer.
While reading an article about spam-prevention it hit me that one way to easily cut down on spam on an open list, would be to have mailman send out a confirmation message for non-member posts. If the sender confirms then, address gets added to the accept_these_nonmembers, if not the message gets dropped after some time and the adress perhaps added to discard_these_nonmembers.
I think there should perhaps be a way to tell mailman that the From: address was forged, so forget the whole deal...
cheers, madsen
On Thu, Aug 21, 2003 at 05:39:19PM +0300, Madsen Wikholm wrote:
While reading an article about spam-prevention it hit me that one way to easily cut down on spam on an open list, would be to have mailman send out a confirmation message for non-member posts. If the sender confirms then, address gets added to the accept_these_nonmembers, if not the message gets dropped after some time and the adress perhaps added to discard_these_nonmembers.
That'd be handy. I wouldn't mind seeing a patch for that, or helping if necessary (though I should be careful about volunteering time since I'm starting a new job in September and haven't a clue how much time I'll have... there's still documentation I want to write.)
On a related note -- have other people been having trouble with challenge-response using susbscribers on their lists? Linuxchix has had some "Dear grrltalk-bounces" messages which are kinda annoying. We can't really take the time to jump through those hoops and read every uncaught bounce, so we've just asked people to whitelist us themselves.
Terri
Sounds a lot like ASK (Active Spam Killer)
On Thu, Aug 21, 2003 at 05:39:19PM +0300, Madsen Wikholm wrote:
Hi!
Lately I've been getting a lot of spam to many of the lists that I administer.
While reading an article about spam-prevention it hit me that one way to easily cut down on spam on an open list, would be to have mailman send out a confirmation message for non-member posts. If the sender confirms then, address gets added to the accept_these_nonmembers, if not the message gets dropped after some time and the adress perhaps added to discard_these_nonmembers.
I think there should perhaps be a way to tell mailman that the From: address was forged, so forget the whole deal...
cheers, madsen
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers
-- Robert Millan
"[..] but the delight and pride of Aule is in the deed of making, and in the thing made, and neither in possession nor in his own mastery; wherefore he gives and hoards not, and is free from care, passing ever on to some new work."
-- J.R.R.T, Ainulindale (Silmarillion)
On Thu, 2003-08-21 at 10:39, Madsen Wikholm wrote:
While reading an article about spam-prevention it hit me that one way to easily cut down on spam on an open list, would be to have mailman send out a confirmation message for non-member posts. If the sender confirms then, address gets added to the accept_these_nonmembers, if not the message gets dropped after some time and the adress perhaps added to discard_these_nonmembers.
Robert Millan mentioned ASK, which I hadn't heard about before, but it also makes me think of TMDA.
I'd really like to add something like this, perhaps including a subscription option (likely via a web confirmation). We'd put a governor on the confirmation offerings so forged virus bombs wouldn't inundate the innocent.
I'm beginning to think that I may have to put out a Mailman 2.2 and if so, this feature would be a good candidate.
-Barry
- Barry Warsaw (barry@python.org) wrote:
Robert Millan mentioned ASK, which I hadn't heard about before, but it also makes me think of TMDA.
Yupp, challenge/response was exactly what I was thinking of. One could ofcourse use the TMDA or ASK for this but being included in mailman directly would simplify the process very much.
I'm not really for using the challenge/response system for personal mail since I get much mail from unknown senders. But for a list that would normally be open it would cut down on the spam. I used to have my lists open but due to spam I've closed them which generates a lot of approval messages :-(
One could argue that you could as well subscribe to the list if you want to send a mail to it but then you get all the rest of the mail that you might not be interested in.
I'd really like to add something like this, perhaps including a subscription option (likely via a web confirmation).
In additon to the full subscription option there could perhaps be a thread subscription which would subscribe the sender to only receive mails from the thread started by him/her. This might become somewhat heavy though.
We'd put a governor on the confirmation offerings so forged virus bombs wouldn't inundate the innocent.
Not that I need to know but what do you mean with governor?
just my 2 cents madsen
On Thu, 2003-08-28 at 03:00, Madsen Wikholm wrote:
I'm not really for using the challenge/response system for personal mail since I get much mail from unknown senders. But for a list that would normally be open it would cut down on the spam. I used to have my lists open but due to spam I've closed them which generates a lot of approval messages :-(
You and me both. Since I feel your pain, I'll probably end up doing something about this in 2.1.3 (e.g. limit the number of approvals sent to the admins per day).
One could argue that you could as well subscribe to the list if you want to send a mail to it but then you get all the rest of the mail that you might not be interested in.
Another thing I'd like to do is to make it an option to free all the held messages of someone who posted before they were a member, and then became a member, without explicit admin approval.
In additon to the full subscription option there could perhaps be a thread subscription which would subscribe the sender to only receive mails from the thread started by him/her. This might become somewhat heavy though.
It's a great idea that's been bantied about for years (e.g. Roundup's nosy lists). But that would have to be a feature for a 2.2 release.
We'd put a governor on the confirmation offerings so forged virus bombs wouldn't inundate the innocent.
Not that I need to know but what do you mean with governor?
Ah, a regulator. I.e. something that stops Mailman from sending too many confirmation messages during a certain period of time. There are actually already such things in the autoresponder, but more of the system needs to be put on it.
-Barry
At 10:21 AM -0400 2003/08/28, Barry Warsaw wrote:
Another thing I'd like to do is to make it an option to free all the held messages of someone who posted before they were a member, and then became a member, without explicit admin approval.
I'd also like to see an update to the spam checking.
For example, for closed lists, I'd like to have a default action of holding the message if it comes from a subscriber and matches the spam regex. But I'd like to have a default action of discarding the message if it comes from a non-subscriber and matches the spam regex.
Not that I need to know but what do you mean with governor?
Ah, a regulator. I.e. something that stops Mailman from sending too many confirmation messages during a certain period of time. There are actually already such things in the autoresponder, but more of the system needs to be put on it.
There is already the option "Should the list moderators get immediate notice of new requests, as well as daily notices about collected ones?", which I was very grateful to be able to turn off.
I also made the source-code modification so that the default action for held messages is "discard" as opposed to "defer". This way, I can get rid of hundreds of held messages in a single button click. Yes, more dangerous, but a lifesaver during the recent SoBig.F mess.
But I'd prefer not to get most of those held messages in the first place, since they were from non-subscribers and definitely matched the spam regex (after a bit of tweaking the SpamAssassin configuration).
-- Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 22:42 +0200 8/28/2003, Brad Knowles wrote:
There is already the option "Should the list moderators get immediate notice of new requests, as well as daily notices about collected ones?", which I was very grateful to be able to turn off.
Perhaps more useful the list admin could set periods other than "daily" (millenniumly is tempting but too long ;-)), and the timing (eg, tell me at 6AM, Noon, and 4PM). Or "per admin or moderator": tell Barry at 6AM; tell John at Noon; etc.
A lot of code...would it be used?
--John
-- John Baxter jwblist@olympus.net Port Ludlow, WA, USA
On Thu, Aug 28, 2003 at 10:42:40PM +0200, Brad Knowles wrote:
I also made the source-code modification so that the default action for held messages is "discard" as opposed to "defer". This way, I can get rid of hundreds of held messages in a single button click. Yes, more dangerous, but a lifesaver during the recent SoBig.F mess.
A friend sent me a wonderful little bookmarklet for this, for those of you who don't want to change the source but do get pages of discardables on occasion. It works well in Mozilla, although I haven't tried it in anything else.
javascript:(function(){var elements=document.forms[0].elements;for(var i=0;i<elements.length;i++){var el=elements[i];if(el.type=='radio'&&el.value=='3'){el.checked=true;}}})()
Terri
At 10:21 -0400 8/28/2003, Barry Warsaw wrote:
In additon to the full subscription option there could perhaps be a thread subscription which would subscribe the sender to only receive mails from the thread started by him/her. This might become somewhat heavy though.
It's a great idea that's been bantied about for years (e.g. Roundup's nosy lists). But that would have to be a feature for a 2.2 release.
And would have problems with uncooperative MUAs and uncooperative MUA users, either of which could take an "interesting" (to the restricted subscriber) message outside the thread.
Good luck.
Are Topics working well enough to be useful (I haven't tried any)?
--John
John Baxter jwblist@olympus.net Port Ludlow, WA, USA
participants (7)
-
A.M. Kuchling -
Barry Warsaw -
Brad Knowles -
John W Baxter -
Madsen Wikholm -
Robert Millan -
Terri Oda