[Mailman-Developers] Feature request

Chuq Von Rospach chuqui@plaidworks.com
Mon, 14 May 2001 20:59:21 -0700 

On 5/14/01 8:48 PM, "Marc MERLIN" <marc_news@valinux.com> wrote:

> Turns out  that it  actually was a  misguided user with  a real  project who
> apparently thought a lot of people should know about it.
> The problem remains though.

Zealots are zealots, whether it's their business, product, god or
politics... (grin)

> BTW, there is adult supervision, SF  does check and approve projects one per
> one, but there isn't much you can do about people who lie and set up a phony
> project that looks real.

True -- which puts you a step ahead of yahoogroups, but as you note, it's
not all that difficult to fake it enough to look legit. It's really a
difficult thing to solve -- especially if you can't "track back" a user past
a disposable email address at hotmail or any of the other freebies. If you
have a trackable address, you have a chance of having THEIR ISP break a
kneecap for you, and at the least, you can ban the user (and if necessary)
the ISP to limit future damages....

> Note that  it introduces the  concept of an uber  user who gets  those admin
> check Emails and other things to confirm instead of the list admin.

Well, I use the following concepts in my sites:

O site mom: basically, god.

O list mom: god for a list.

O assistant list mom: does the stuff the list mom can pawn off on them.

O content mom: handles mail that hits the admin page for some kind of hold,
and monitors/administers the content of the list.

You need a site mom to oversee everything and set policy (and
vet/train/monitor/break kneecaps on list moms). List moms handle
administrative stuff and have access to the subscribe pages; content moms
don't -- each list tends to organize as it sees fit around those
restrictions. 

Seems to work okay. It allows the list owner to hand off part or all of the
list responsbility (at Apple, no list exists without an internal sponsor;
that sponsor may or may not manage the list -- it might be someone in that
group, or they may bonk an outside person to handle day to day operations).
And responsibility flows upstairs, and memos flow back down.. (snicker)

> That  could work  for some,  but doesn't  help that  much with  a determined
> spammer who lies to get this access and then does the bad deed.

But that's why you have to require a 'verifiable' address -- so if they do
it, you have a chance of having an ISP be responsible for it, and if not, at
least you can nuke that account and ISP from the 'verifiable' list so they
can't pull it twice.

> I guess  the best would be  to have a config  option that says what  the max
> number of people who can be added through the web is (0 being a possibility)
> 
> Having oversized adds go to a site admin for confirmation instead of just
> failing would be an added bonus.

Agreed and agreed -- it'd give the admin a chance to, say, pull a random
subset to verify they'd agreed to this. If the list comes up clean, good. If
not, you know you have a problem.