[Mailman-Developers] Save the world from spam

John Morton jwm@plain.co.nz
Fri, 22 Feb 2002 18:18:27 +1300 

On Friday 22 February 2002 16:36, Chuq Von Rospach wrote:

> > Excellent. Would you mind publishing an analysis so we can start making
> > some informed decisions as to what methods are effective?
>
> Oh, that's easy. I haven't found evidence of any harvesting. I've also been
> able to find evidence of harvesting from OTHER site's lists on at least
> three occcasions where people complained to me my lists were being
> harvested.

And those lists had publicly accessable archives with no address mangling?

> Understood. But -- there are going to have to be some compromises and
> tradeoffs made. The whole discussion was intended to look for them, because
> I don't believe you can have all of that successfully. Something will have
> to give.

Yep. Almost time to go back through the thread so far and summarize the 
options that have been discussed, I think.

> > That's because email addresses aren't secrets. If you can think of a
> > better method than address mangling or hiding behind web forms, do tell.
> > Personally, I'm willing to consider those good enough for the time being.
>
> You know, now that I think of it, there's another approach: you don't get
> the admin's email address until you authenticate. Then you get it. If
> you're a list subscriber, you authenticate to the same level as the list is
> authenticated. If you're not, Mailman sends you an e-mail with the address
> in it (or FROM the address, so you can merely reply to it). No valid email
> address, no access to the admin. And if you do that, you can also set up a
> blackhole for known abusive addresses, shutting out the trolls..
>
> Thoughts?

I think the list admin address is exposed to subscribers in the welcome 
message and monthly reminders already; I presume you mean that to see a web 
page with it, you'd have to log in first. 

I think the problem with this is the most likely reason that someone would 
email the admin if they're subscribed is because they can't log into the site
to change there settings, see the archive and so on, or they're trying to 
subscribe to the list but the email confirmation process is failing for some 
reason (this has happened to me on a couple of occasions due to MTA wierdness
at the list end). Naturally, failures anywhere before the email confirmation 
process couldn't be reported, either. 

This one doesn't look to be any better than the web form, except that it 
might work in an email only environment. Perhaps both?

John