[Mailman-Developers] Interesting study -- spam on postedaddresses...

Chuq Von Rospach chuqui@plaidworks.com
Thu, 21 Feb 2002 09:23:51 -0800

On 2/21/02 8:28 AM, "Dale Newfield" <dale@newfield.org> wrote:

> On Thu, 21 Feb 2002, Damien Morton wrote:
>> Making a private archive available to those who are list members
> I haven't commented on this before, but the reason I find this solution
> lacking is that most mailman lists (in my experience) don't require list
> admin permission to join.  If this is the hurdle, as a spammer I'd just
> create a hotmail account that I can automatically subscribe to any mailman
> mailing list, and then gain access to the honeypot.

This hits another aspect of my design philosophy. Don't sweat making one
part of the system more secure than the other parts.

In this case, you hit a nail on the head. If a spammer really, really wants
your subscribers, we can't stop him. They can simply subscribe to a list and
harvest it as it comes across. Unless you choose to anonymize every bloody
message -- a spammer will win if they're motivated enough, and a smart
spammer will do so in a way you'll never find. Like setting up a hotmail
address for each list, so you can't see that all 30 lists have the same
address in common, and simply reading messages as they come by.

And since, inherently, you can't stop THAT, it makes no sense to make
archives more secure than that. Any spammer smart enough to be willing to
subscribe to a list to do their harvesting, you're going to have a very
tough time stopping. Basically, you have to get lucky or hope they make a
mistake or some sort.

So since you can't make the subscription process more secure than that --
why try to make the archives more secure than the subscription process? It's
extra work for no real gain, because any spammer will a clue will go through
the patio door in the backyard instead of the front door with the three
deadlocks and the security gate...

