[Mailman-Developers] Preventing spam to list admins.

[Chuq Von Rospach]

On 8/27/01 10:14 PM, "J C Lawrence" <claw@kanga.nu> wrote:

>> I don't disagree -- but that's not the address on the listinfo
>> pages, either. And that's ANOTHER problem to deal with, now that
>> you mention it.
> 
> Aye, that's a long term niggle for me: The admins on the listinfo
> pages et al should be reported as listname-admin@domain, not the
> actual addresses.

One thing I've been mulling over today is whether we're being too paranoid
here.

We DO know that spambots will harvest addresses it finds on web pages. So
those web pages need to be protected, obscured, or the addresses kept off of
them.

We DO know standard addresses (postmaster, webmaster, etc et al) and mailing
list posting addresses get harvested by spambots and added to their lists.

But do we know of spambots that say "because list@foo.com exists, we should
also spam list-owner@foo.com"?

I don't think that happens, and so I'm wondering if we try to protect this
"standard" address we may be solving a problem that doesn't (and isn't
likely to) exist. 

I like the idea of having mail funnel through listname-owner@domain, and
have that point to the list of all admins (or with 2.1, where we have list
admins, content admins and site admins, how weill this breakout change?
Hmm). Seems to me the answer is to bridge access to that address through
some kind of interface that spambots can't traverse, but humans can. That
would mean not putting mailtos on the page, but doing something that would
let the user mail the admin. I'm not necessarily a fan of the "send email"
form thing, either, since if mailman breaks, that form also probably breaks
(and how will they email us to tell us It's broken?), but I'm not sure
there's are many alternatives that solve all of these problems...

I do believe that shifting the listinfo page to be a mailto to the -owner
address will only get that address on the spam lists and solve nothing....

I'm still thinknig my way through this. There are going to be a tradeoffs
here...

> There are two conflicting requirements here:
> 
> 1) The list admin address needs to be cannonical, well known, and
> always supported.
> 
> 2) We can't tell anybody about it.

Does it have to be well-known? Canonical? Or is it something that simply has
to be available on request?

There ARE addresses that have to be canonical and well-known, but are
list-admin addresses one of those? Or can we, say, generate them dynamically
or simply hide them through some accessible interface?

I'm not promoting these as solutions. I'm wondering if they might be
solutions.

> What we can do is try and institute methods for sites to help them
> control the damage wreaked by #1.  Sadly, I don't have a lot of
> suggestions there. other than the fact that doing away with #1 is
> not an acceptable answer.

The first answer is to run it all through whatever mailman uses for
anti-spam for the posting addresses. Which would at least allow us to define
auto-bounce rules for the "easy" stuff, like pr0n, judicial judgements and
the like. We could filter out the "low hanging fruit" with a decent tool, if
it filters admin mail through it.

But that's only low hanging fruit. And a partial solution. But it's a start.

>> armor we can give them in other ways. I don't think we can do
>> nothing, and I don't think the answer is "have them filter with
>> procmail"...
> 
> Well, of course we can.  Many do precisely this (little).  Its just
> that we'd do better and be better if we didn't.  Its more admirable
> to step up to the plate, even if you do miss the ball.

Or foul it off. Tell your admins running lists from AOL that all they need
to do is install procmail...

No, I think if we create a problem (and we are) we have some responsibility
to minimize it and do what we can about it. It might not be easy for Mailman
developers, but then, by the same rationale, we could do away with
subscription validation, no?



-- 
Chuq Von Rospach, Internet Gnome <http://www.chuqui.com>
[<chuqui@plaidworks.com> = <me@chuqui.com> = <chuq@apple.com>]
Yes, yes, I've finally finished my home page. Lucky you.

95% of being a net.god is sounding persuasive
and convincing people you know what you're talking about, even when you're
making it up as you go along. (chuq von rospach, 1992)