[Mailman-Developers] Foiling automated subscriptions by spammers

George F. Nemeyer tigerwolf@tigerden.com
Sat, 5 Jan 2002 11:25:21 -0500 (EST)

Discussions on another list bring up something to consider: 

---------- Forwarded message ----------
Date: Sat, 5 Jan 2002 11:19:24 -0500 (EST)
From: "George F. Nemeyer" <tigerwolf@tigerden.com>
To: spam@zorch.sf-bay.org
Subject: Re: bulk email explosion this spring?

On Sat, 5 Jan 2002, Tim Pierce wrote:

> Has anyone heard rumors that big spamhauses are planning to deploy new
> technology to attack mailing lists, or for that matter are planning
> anything specific for this spring? 

I've not heard rumors, but the way I read the ominous forecast was that
spammers plan to automate the subscription/confirmation process to get
into lists initially with the hope of getting at least one spam flood

If that's true, it seems the next logical step is to create lists that are

That is, for any new subscriber, a human reviews and manually approves the
first N postings, until the user can be tagged as 'trusted' and their
subsequent posts are then allowed onto the list automatically.  If any
early posts are spam, the user is summarily booted.  N can even be zero if
the list owner knows and trusts the user when they approve the
subscription to the list initially. 

I can't see large volume spam houses bothering to actually create on-topic
posts long enough to become tagged trusted since doing so by automated
means would be nearly impossible for large numbers of lists with widely
varying subjects. 

This scheme should work at least for lists where the rate of new
subscriptions is managable.

Other schemes might involve requiring posting domain to be the same as
subscription domain, or other 'source' comparisons which would flag
suspicious posts for approval before letting them onto the list.

It will take some list server software changes, so I'm going to copy this
to the Mailman developer's list for consideration.

George Nemeyer
Tigerden Internet Services