[Mailman-Developers] Feature request
Chuq Von Rospach
Mon, 14 May 2001 20:59:21 -0700
On 5/14/01 8:48 PM, "Marc MERLIN" <firstname.lastname@example.org> wrote:
> Turns out that it actually was a misguided user with a real project who
> apparently thought a lot of people should know about it.
> The problem remains though.
Zealots are zealots, whether it's their business, product, god or
> BTW, there is adult supervision, SF does check and approve projects one per
> one, but there isn't much you can do about people who lie and set up a phony
> project that looks real.
True -- which puts you a step ahead of yahoogroups, but as you note, it's
not all that difficult to fake it enough to look legit. It's really a
difficult thing to solve -- especially if you can't "track back" a user past
a disposable email address at hotmail or any of the other freebies. If you
have a trackable address, you have a chance of having THEIR ISP break a
kneecap for you, and at the least, you can ban the user (and if necessary)
the ISP to limit future damages....
> Note that it introduces the concept of an uber user who gets those admin
> check Emails and other things to confirm instead of the list admin.
Well, I use the following concepts in my sites:
O site mom: basically, god.
O list mom: god for a list.
O assistant list mom: does the stuff the list mom can pawn off on them.
O content mom: handles mail that hits the admin page for some kind of hold,
and monitors/administers the content of the list.
You need a site mom to oversee everything and set policy (and
vet/train/monitor/break kneecaps on list moms). List moms handle
administrative stuff and have access to the subscribe pages; content moms
don't -- each list tends to organize as it sees fit around those
Seems to work okay. It allows the list owner to hand off part or all of the
list responsbility (at Apple, no list exists without an internal sponsor;
that sponsor may or may not manage the list -- it might be someone in that
group, or they may bonk an outside person to handle day to day operations).
And responsibility flows upstairs, and memos flow back down.. (snicker)
> That could work for some, but doesn't help that much with a determined
> spammer who lies to get this access and then does the bad deed.
But that's why you have to require a 'verifiable' address -- so if they do
it, you have a chance of having an ISP be responsible for it, and if not, at
least you can nuke that account and ISP from the 'verifiable' list so they
can't pull it twice.
> I guess the best would be to have a config option that says what the max
> number of people who can be added through the web is (0 being a possibility)
> Having oversized adds go to a site admin for confirmation instead of just
> failing would be an added bonus.
Agreed and agreed -- it'd give the admin a chance to, say, pull a random
subset to verify they'd agreed to this. If the list comes up clean, good. If
not, you know you have a problem.