[Mailman-Developers] Interesting study -- spam on postedaddresses...

John Morton jwm@plain.co.nz
Fri, 22 Feb 2002 11:00:23 +1300


On Friday 22 February 2002 05:28, Dale Newfield wrote:
> On Thu, 21 Feb 2002, Damien Morton wrote:
> > Making a private archive available to those who are list members
>
> I haven't commented on this before, but the reason I find this solution
> lacking is that most mailman lists (in my experience) don't require list
> admin permission to join.  If this is the hurdle, as a spammer I'd just
> create a hotmail account that I can automatically subscribe to any mailman
> mailing list, and then gain access to the honeypot.

I think we're really getting into wild speculation territory here. No one 
will bother hacking the code to automatically get new free mail accounts 
(this requires staying up to date with some range of mail service's cgi 
interface for their join function), automatically join any mailing list they 
find (same problem as before, coupled with having an automated way of finding 
lists to plunder), then going through the usual email confirmation step (ok, 
not hard if your mail service lets you pop mail from them). 

No one is going to bother implementing and maintaining this attack while they 
can grep addresses straight out of Usenet, off the web and out of DNS. If at 
some point in the future, those sources dry up, then it might be time to 
rearm. If there's compeling evidence that private archives and voluntary 
address obfuscation methods are failing, then it's time to rearm. But let's 
just keep in mind that this will always be an arms race, and that at the end 
of the day, it's only junk mail.

John