[Mailman-Developers] Interesting study -- spam on postedaddresses...
Jay R. Ashworth
jra@baylink.com
Wed, 20 Feb 2002 16:18:29 -0500
On Wed, Feb 20, 2002 at 10:15:33AM -0800, Chuq Von Rospach wrote:
> On 2/20/02 9:31 AM, "Jay R. Ashworth" <jra@baylink.com> wrote:
> > But I still think it's important to keep firmly uppermost in our minds
> > here that the spam is not *caused* by the mailing list.
> >
> > Nor is it caused by Google
> >
> > It's *caused* by the spammers.
>
> And burglary is not caused by my owning nice things, either. It's caused by
> burglars. But that's no excuse to not put locks on the doors.
A mailing list -- a publically accessible mailing list -- isn't your
house. It's the city library. Those are typically not locked up as
tightly your house, during the day.
> > I realize that we have practical considerations to deal with which are
> > much closer to our feet, but I think that it's quite important that we
> > don't lose sight of the forest for the trees.
>
> See, here's our disagreement here. You're saying "put the damn burglars in
> jail already!" and I'm saying "I agree, but until that's done, I still think
> I'm installing that deadbolt on the front door".
>
> You're right, Jay, but does being right matter? Unless you know how to stop
> the spammers, it's a pyhrric victory -- because it does nothing to protect
> yourself from the spammers.
*I* protect *myself* from the spammers, actually, thank you very much.
Perhaps that sounds elitist. So be it.
> Even with a good deadbolt, burglaries still happen. Is that an excuse not to
> put the deadbolt on in the first place? No.
Well, again: would you deadbolt the public library?
> > I personally can't think of any method of programmatically obscuring
> > email addresses that can't be programmatically reversed.
>
> Have you seen what slashdot is doing? I think it has promise, because while
> it's still reversible programmatically, it makes it much more difficult to
> do. Will they still get harvested? Most likely. But not nearly as quickly as
> most other sites, and it's going to make the spambots crazy trying to eat
> each page looking to figure out if it knows which obfuscation to
> de-obfuscate.
Actually, no, I haven't bothered with /. in some time... I'll take a
look.
[ looks ]
Hmmm... there are a couple of ways that you *don't* want to despam an
adress; hope they didn't hit any of them.
> But I've been thinking about this, and I want to throw a couple of ideas
> out. I'm speaking just of the admin-access issue, not archives.
>
> Admin-access has three components to it, all in conflict.
>
> 1) The list admin needs to be accessible to everyone, not just subscribers.
>
> 2) the list admin shouldn't be an open target to spam.
>
> 3) Someone has to be accessible for problem reports even if the Mailman
> system is malfunctioning.
>
> That third point is a bit of a shift. I've come to the thought (and we can
> argue it) that LIST admins don't need to be accessible if MAILMAN fails. The
> MAILMAN admin does. And I think the chances are good that the MAILMAN admin
> is more likely than not also the person who gets abuse@, root@, postmaster@,
> so the SITE admin mailbox is already wide open to all these idiots. Making
> it wide open to mailman spam simply isn't significant.
I don't need to argue it; I concur: if the server falls over, the
server admin is the target. And yeah, they should be wearing armor
already.
> That, basically, allows us to stuff mailtos somewhere pointing to an address
> you can mail to to report site failures. I'll even go farther and say that
> address can simply be on a web page, not linked to a Mailto, and if you
> really, reallly want, obscure it further as a JPG or something. But I think
> that's all overkill, given that spammers now automatically spam
> root/postmaster/etc on domains anyway.
>
> That takes care of the "access in case of failure" mode, mostly by, frankly,
> simply annointing ONE person (the site admin) as "it" for open access. Not
> great, but it's sure better than making all admins deal with it.
No problem there.
> That then allows us to deal with (1) and (2). Which means we can now put
> admin access behind some kind of web interface. And - we already have 80% of
> that, in the current admin interface.
>
> So I recommend this:
>
> You no longer advertise admin's real addresses. Instead, you advertise a
> feedback that sends messages to the admin, to discourage mailing directly.
> A year ago, I probably would have insisted on SOME kind of email contact
> point, but frankly -- the percentage of users who can't use a web page is
> pretty much zero now.
This is, alas, a different topic.
When I send a complaint to someone about something, *I want a copy of
that message in my outbox*. I *hate* mail forms. With an unbridled,
flaming passion. They usually don't spell check; they don't get my sig
file, etc, etc, ad nauseum.
I can at least tolerate it, if you'll carbon me a copy, but it's still
suboptimal.
> And since 2.1 has better filtering capabilities, we get those filtering
> capabilities for free on incoming admin email. And this stuff isn't thrown
> in an admin's mailbox -- it's dealt with as part of the normal admin list
> functions, reducing the interruption/hassle factor. And the admin addresses
> won't end up in spammer databases, because they no longer exist.
Now *that* part, I like.
> Thoughts? It's not perfect, but now only one guy is "it", and the admins are
> accessible but protected -- and can better separate their list-admin "me"
> from their real "me" on top of it. And the site admin is more likely IMHO to
> be capable of managing their mailbox from spam than forcing all list admins
> to learn how to do that...
Personally, I'm a little tired of "But I'm too lazy" (to learn how to
set up spam filters) being an acceptable excuse. If you can't find
someone to run your list with a clue, then maybe you shouldn't have a
list.
But that's why *I'm* not the Mailman product line manager. :-)
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Baylink RFC 2100
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274
"If you don't have a dream; how're you gonna have a dream come true?"
-- Captain Sensible, The Damned (from South Pacific's "Happy Talk")