[Mailman-Developers] Interesting study -- spam on
Chuq Von Rospach
Thu, 21 Feb 2002 14:20:47 -0800
On 2/21/02 2:00 PM, "John Morton" <email@example.com> wrote:
> I think we're really getting into wild speculation territory here. No one
> will bother hacking the code to automatically get new free mail accounts [...]
Nobody has bothered to do this YET. That we know of. But the spamhacks are
evolving rapidly. More rapidly than the anti-spam hacks in many ways. I sure
wouldn't depend on them never doing this. I'm not sure what we'd do if they
did, either, but some aspects of it have happened to me in small ways, just
not from the major spamhacks.
Fact is, if they want your subscribers, they can get them. Or more
correctly, your subcribers that post -- but if everyone lurks in fear, why
hav a mail list? The question is, what can we do to make it as tough as we
can for the spammers, without screwing it up for us (as admins) or our list
users. If only because the harder we make it for them to hack us, they more
likely they'll go somewhere else that's easier to crack...
On the other hand, if Mailman does become the de-factor mail list standard,
or one of a couple of key list servers, you can bet the spam ahcks will
focus on it, because if they can crack the code, they can crack a LOT of
lists really fast. So we have the potential to become a target of our
success, and we should be aware of that.
> No one is going to bother implementing and maintaining this attack while they
> can grep addresses straight out of Usenet, off the web and out of DNS.
The "low hanging fruit" theory, or as I used yesterday, it's "the club"
mentality. The Club (which, for those who don't catch my reference) is a big
hunk o' steel you lock to your steering wheel. It's ability to slow down a
car thief boils down to two things: how badly the thief wants YOUR car (vs.
Any car), and how many other cars they can steal more easily.
But what happens when other groups get smart too, and clean up the low
hanging fruit? Depending on that to protect us is a false security,
basically no better than the old security-by-obscurity issue. Given port
scanners and the like, there IS no obscurity from the crackers any more.
Chuq Von Rospach, Architech
firstname.lastname@example.org -- http://www.chuqui.com/
Stress is when you wake up screaming and you realize you haven't fallen