[Mailman-Developers] FYI -- mailback validations nolonger safe?

Mark Fletcher markf@wingedpig.com
Sat, 09 Dec 2000 15:17:15 -0800 

Apologies if some of this is repeated in other posts, I haven't had a
chance to read through everything yet...

Chuq Von Rospach wrote:
> 
> At 3:09 AM -0600 12/9/00, Christopher Lindsey wrote:
> 
> >    Yes, this has definitely been troublesome.   I've blocked many
> >    commercial sites like findmail.com (egroups) and remarq.com from my
> >    lists because of their secret archiving that displays email addresses
> >    to the public, but at least they don't spam the lists back.  But
> >    of course anyone can browse these sites and get addresses to their
> >    heart's content, then forge MAIL FROM: to sneak mail into the lists.
> 
> Ya know, I hadn't thought of that -- I've wokred at closing off my
> list archives from the spam harvesters, but I'd never thought of the
> list archives as a source of addresses to use to spam ONTO the lists.
> (shudder). That's a real, legitimate issue, because you're basically
> handing them access.
> 

A couple of quick corrections. eGroups no longer archives lists hosted
elsewhere, although there are still a few legacy lists. We stopped that
about a year ago. I also think that remarq.com has stopped that as well.
As for archives, eGroups obscures email addresses to prevent spam
harvesting. We never saw an instance of successful spam harvesting of
email addresses from the archives because of this.

... snip ...


> But Murr Rhame on list-managers said something that made me think of
> a possible answer -- new subscribers automatically go into "hold for
> approval" mode. it'd be another flag in the user record (like digest
> or nomail), and when you subscribe, it's turned on. All messages are
> held for the admin to approve. Once an admin can trust a new account,
> he turns off the flag and they post without restriction.
> 
eGroups has had this for quite some time, and many listowners have had
success using it.

There are two types of spam problems with lists. One is harvesting of
email addresses, the other is sending spam directly to groups. Given the
current state of Internet email, neither can be fully addressed. But the
good news is that spammers generally are impatient, and are looking for
the biggest bang for the buck (most email addresses for least effort).
So, subscribing to a group and harvesting email addresses by looking at
the messages you receive is not popular with spammers (in our
experience). It takes too long and yields too few addresses. The biggest
source of spam complaints on eGroups is the case of a spammer
subscribing to a bunch of groups and then sending their spam to the
groups, which if I understand correctly is what happened to your friend,
Chuq. But besides the 'moderate new users' function, and the anti-cross
posting features of eGroups, I'm not sure what else you can do to
eliminate that problem.

As an aside, I have actually seen software designed to send spam to
mailing lists. It comes with a database of hundreds of lists (lots of
ONElist/eGroups lists included). It assumes you have subscribed to the
lists already. You compose your spam template, and it sends out
individual messages to each of the groups. By doing so, it defeats the
anti-cross posting feature of eGroups. It was targeted to people who
subscribed to the numerous (at the time) 'make money fast' groups on
eGroups and elsewhere (basically groups where subscribers spam each
other). So it wasn't really a problem for our normal users.


Mark