[Mailman-Developers] Preventing spam to list admins.

Barry A. Warsaw barry@zope.com
Tue, 28 Aug 2001 16:35:46 -0400 

>>>>> "JCL" == J C Lawrence <claw@kanga.nu> writes:

    >> 1. "Contact the Mylist administrators", where contact is
    >> hyperlinked to the mailto: url of the -owner address.

    >> 2. Like now with a slight variation: "Mylist list run by barry
    >> at zope.com", where Mylist is hyperlinked to the listinfo page
    >> and "barry at zope.com" is mailto: linked to the -owner
    >> address.

    >> I think I prefer #2.

    JCL> I very slightly prefer #1.  I don't consider this a
    JCL> significant item however, #2 is just fine.

Okay.

    >> Chuq brings up the issue of whether the moderators are included
    >> in email to -admin or -owner, and the current answer is no.  I
    >> can see either adding a standard -moderators address, or always
    >> including the moderators in the -owner address.

    JCL> I consider "moderator" largely synonymous with "owner".
    JCL> Loosely the breakdown I use is:

    |   SiteOwner
    |   ListAdmin
    |   ListOwner == ListModerator
    |   ListMember

Okay, I think I can live with that, even though strictly speaking
"moderators" won't have all the privileges of "owners" (owners can hit
the admin pages, while both groups can hit the admindb pages).

    >> Then what about -admin?  Currently the only distinction between
    >> -admin and -owner is that the former runs the bounce detector
    >> first.  Should -admin go to the moderators too?

    JCL> Admin is useful for bounce processing (tho I'd prefer seeing
    JCL> that using a -bounce address rather than conflating it onto
    JCL> -admin as it makes filtering easier), and for those who
    JCL> actually have write privilege to the list configs (not just
    JCL> post approval).

    JCL> Actually, I'd *really* like to see bounce processing split
    JCL> out to its own address.

Me too.  I remember we had a thread about this a while back.  Doing so
would require regeneration of your alias database, which I seem to
recall was considered to disruptive to backwards compatibility to
adopt for MM2.1.  Maybe we should reconsider (or perhaps I remember
the decision incorrectly).

    >> To complete the circle, we can pass -owner messages through the
    >> SpamDetect.py filter, but not the Hold.py filter.  This isn't
    >> ideal, because I don't think there will be time to make
    >> SpamDetect configurable thru-the-web for 2.1, but it does give
    >> a site admin /some/ ability to filter out the most egregious
    >> spammers.  And I'll posit that spam detection/prevention
    >> filters really ought to be applied site-wide instead of
    >> per-list.

    JCL> Grrrr.  No.  There's to much variation in what particular
    JCL> lists might want, especially in vhosting situations.

I'm not saying that vhosts and/or lists shouldn't be able to augment
site-specific spam controls, but I also don't want to burden every
list admin with having to install their own spam controls to block
/anything/.  It's analogous to MTA spam blocks, which by their nature
are site-wide.

Remember that in post-2.1 I plan on implementing delegation of
configuration: site->vhost->list(->user).

-Barry