[Mailman-Developers] Interesting study -- spam on postedaddresses...

Chuq Von Rospach chuqui@plaidworks.com
Mon, 18 Feb 2002 13:57:50 -0800

On 2/18/02 12:59 PM, "Daniel J. Cody" <djc@members.evolt.org> wrote:

> Speaking of tradeoffs, it's my opinion that hiding archives behind a
> password protection scheme for fear that the administrator, who probably
> deals with oodles of email anyways and is probably the *most* experienced
> person in regards to email filtering etc, is a poor one.
> whew.
> The archives for a list I run happen to get around 100K referers from
> google a month, and again IMO, blocking those people out just because I'm
> getting 5 spams a month doesn't seem like the best idea.

You misread the intent here, probably because I was unclear.

You protect the archives because otherwise, your subscribers will be
harvested. If your archives are in google, you're handing all of your
subscribers to the spammers. You might as well burn them a CD.

To me, that's not remotely an option. If your archives are
google-searchable, you're being harvested, and your users, if they ever
figure it out, will thank you. Probably with a pitchfork.

Users of a mail list have a right to be protected from spam caused by your
mail list. If you don't protect the archives from harvesting, frankly, you
might as well stop rejecting spam sent directly to the list as well. And you
know how well your users would take THAT decision.

We can argue the philosophy of archives in search engines -- but I consider
stuffing email addresses in search engines to be a fatal error. You'll never
convince me that's okay. And I've never convinced myself that castrating
email out of an archive and then publishing the archive is worth the work
and hassle. Your mileage on that latter probably varies.

Protecting admin addresses from spam is a second, separate issue. An admin
has a responsibilty to be accessible to the outside public to answer
questions and deal with problems. And because, if the pages DO break, one
would hope the admin would like to know that so it can be fixed.

So you can't hide an admin -- but I think you also have a responsibility to
protect that admin as much as you can, because it's already enough fun for
the admin to run a list that adding "oh, yeah. Eat all this spam" on top
doesn't seem to add many gold stars to the job description. So you have to
look for ways to not make it easy for spammers, while not making it hard for
real users. 

> http://evolt.org/article/mmdev/18/15126/index.html

Thanks. I'll go take a look. I'm always looking for better mousetraps.

But I'm curious whether your setup would catch and protect users from this:
Last Friday, I got an emergency call from my assistant (I was at home,
watching curling on CBC. Um, well, I was working from home). Our Mailman box
at work was thrashed and shutting down.

I logged in and looked, and found that the web site was being whacked -- a
robot of some sort was pulling down 40 pages in parallel, all at once.
Definitely not a well-behaved beast.

When I went looking in the logs to see whether it was a system problem, an
attack, or merely some clueless idiot interrupting my day, I found that
while it was clearly an automated spider of some sort doing the page grabs,
its user-agent promoted itself as a nice, generic IE on Microsoft Windows
user. In other words, if you are assuming the harvesters aren't obfuscating
the user-agent, I found out the hard way last week that's not true.

I'm still waiting to see if that guy comes back. I'm curious. And, now,

I haven't seen a bot-catcher that I think reliably stops a bot that is
actively trying to hide from me. Which means the GOOD spammers are going to
fall under the radar, and you get this false sense of security, because of
all of the stuff you Are stopping... Until I do find one, I'll use a
password and some kind of authentication, and work my butt off to not let
the data get out of my hands if there are email addresses in it (I just
modified my T&C to explicitly deny people setting up public, third party
archives without our approval of the archive, specifically so we have teeth
to force them to protect their archives at least as much as we protect ours.
It makes no sense putting a second deadbolt on the front door if you never
lock the back. Letting your archives into google, IMHO, is putting the
silver on the front porch so they can take it easier...

> As an aside, how many that run 'larger' lists get a lot of spam? Using the
> same email address for list-admin going on 3 years now, I can probably
> count on my fingers and toes how many spams I've gotten to that address.

Oh, gee. You can have some of mine. You don't want to know. On my home/small
server, a couple of the mail lists average 10-15 pieces a day, to it and to
the admin. Right now, it's gone from making it bigger and increasing the
volume to making it taste sweet.. Sigh.

Chuq Von Rospach (chuqui@plaidworks.com -- http://www.chuqui.com/)
Will Geek for hardware.