[Mailman-Developers] Interesting study -- spam on postedaddresses...

John Morton jwm@plain.co.nz
Thu, 21 Feb 2002 19:10:29 +1300

On Thursday 21 February 2002 18:41, Chuq Von Rospach wrote:

> There is some validity to the "the club" mentality, of "we don't have to
> fix it, we only have ot make it difficult enough to convince them to annoy
> someone else". But if we assume we're building the New Defacto Standard
> Listserver for the Internet here with mailman, that strategy fails, because
> if we succeed, then it becomes worth their time to find the anti-Club.
> Security by obscurity only works if you're really obscure, which implies
> failure of the software to thrive. I'm not interested in that (and even
> then, you aren't guaranteed success by being obscure).
> Another way of looking at it is "I don't have to outrun the lion. I only
> have to outrun you" -- but that doesn't work if the lion is infinitely
> hungry and doesn't get tire.d Which defines a spambot.

Indeed. Email addresses aren't secrets - even more so than credit card 
numbers and biometric data - and the attackers have more than enough 
resources to seek them out.

> I'm more and more ocnvinced the answer is simply putting admins behind a
> web form, and telling site admins to publicize an emergency address (like
> postmaster), and putting up a watcher on the system to set off alarms when
> it breaks.

For the admin addresses, I'd agree with you. Building up a document of 
pointers to good spam filtering tools couldn't hurt either. 

For archives that aren't behind a login, I think slashdot style obfuscation 
is the best we can do. The list admin can pick the default obfuscation scheme
or none at all. Users who want there email address out there for whatever 
reason can do so, and rely on their 'War and Peace' spam filters to keep the 
noise down, while other folks can opt in even further and replace the 
obfuscated email address with some useless string.