[Mailman-Developers] Possible spam attack against MM lists

Nigel Metheringham Nigel.Metheringham at dev.intechnology.co.uk
Thu Sep 2 10:08:52 CEST 2004


On Thu, 2004-09-02 at 14:30 +0900, Stephen J. Turnbull wrote:
> >>>>> "Nigel" == Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk> writes:
>     Nigel> What might add something would be an option where posters
>     Nigel> get a response back on postings similar to the current
>     Nigel> message held for moderation where they have a choice of
>     Nigel> actions - post or cancel at a minimum.
> 
> It would for a while, but the spammer has a big advantage here once he
> figures it out.  He just bounces back a response to _all_ such
> challenges, whereas a conscientious member will have to check (at
> least his memory) whether he posted or not.  OTOH, if it goes to the
> forged address of a legit member, that would be an annoyance to
> someone whose only sin is to have thrown snake eyes in the "spammer
> alias" lottery.

That only applies where the spammer has actually signed up using an
address that gets back to them.  If the spammer is doing forged sender
addresses they won't get the C/R (Mailman confirm/reject) message and if
this is being implemented it should certainly be using cryptographically
secured cookies so sending a response to a C/R without seeing the C/R
would not be possible.  It would be a bitch for all the posting list
members, but gives them protection against having their names taken in
vain (and also gives people a cooling off period to retract that flame
they sent in the heat of the moment).

	Nigel.
-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]




More information about the Mailman-Developers mailing list