[Mailman-Developers] FYI -- mailback validations nolonger safe?
Christopher Lindsey
lindsey@ncsa.uiuc.edu
Sat, 9 Dec 2000 17:35:34 -0600
> A couple of quick corrections. eGroups no longer archives lists hosted
> elsewhere, although there are still a few legacy lists. We stopped that
> about a year ago. I also think that remarq.com has stopped that as well.
Yes, remarq appears to have stopped now. We still have some NCSA lists
(well, at least one) archived at eGroups, but I suspect it's one of
those legacy archives since it still has the old subscription information
from almost three years ago on it. :)
> As for archives, eGroups obscures email addresses to prevent spam
> harvesting. We never saw an instance of successful spam harvesting of
> email addresses from the archives because of this.
The addresses are now obscured, but when it was done through findmail
the addresses were there for the world to see.
I'm not targeting eGroups or Remarq, but just listing them as examples
of what can happen. In these cases, the two companies started archiving
and then addressed the problems that they had created later. And
that's the whole point -- you can make your server as secure as possible,
hide email addresses in your archives and do anything else imaginable,
but one irresponsible subscriber makes the whole setup worthless.
They just need to setup an archive that doesn't hide email addresses,
and voila...
S/MIME or PGP signatures would of course prevent the addresses being
used for spamming, but would still allow direct spam. That's why
I use unique email addresses for most lists that I subscribe to; at
least then I can track the origins of a spam. Coupled with an MLM
that signs outbound messages, I'd be pretty spam-free since I could
disregard anything that wasn't signed.
[apologies for double quoting -- I don't remember the original poster]
> > But Murr Rhame on list-managers said something that made me think of
> > a possible answer -- new subscribers automatically go into "hold for
> > approval" mode. it'd be another flag in the user record (like digest
> > or nomail), and when you subscribe, it's turned on. All messages are
> > held for the admin to approve. Once an admin can trust a new account,
> > he turns off the flag and they post without restriction.
It's a pretty standard feature in MLMs... Even old and crusty majordomo
1.94.x can require subscriber approval.
Chris (who's thinking that maybe we should remove Spaf et al from the
Cc: list?)
----------------------------------------------------------------------
Christopher Lindsey, Senior System Engineer
National Center for Supercomputing Applications (NCSA)