[Mailman-Developers] Interesting study -- spam onpostedaddresses...
Damien Morton
dm-temp-310102@nyc.rr.com
Thu, 21 Feb 2002 13:32:44 -0500
Interestingly enough, the first place I ever saw the reverse turing test
in use was in the signup for a yahoo account.
"This step helps Yahoo! prevent automated registrations."
http://edit.my.yahoo.com/config/eval_register?.partner=&.intl=us&.src=my
&.last=
The objective should be to raise the cost of harvesting. As you say, it
cant be prevented, but forcing a human into the loop can raise the cost
substantially.
> -----Original Message-----
> From: mailman-developers-admin@python.org
> [mailto:mailman-developers-admin@python.org] On Behalf Of
> Chuq Von Rospach
> Sent: Thursday, 21 February 2002 12:24
> To: Dale Newfield; mailman-developers@python.org
> Subject: Re: [Mailman-Developers] Interesting study -- spam
> onpostedaddresses...
>
>
> On 2/21/02 8:28 AM, "Dale Newfield" <dale@newfield.org> wrote:
>
> > On Thu, 21 Feb 2002, Damien Morton wrote:
> >> Making a private archive available to those who are list members
> >
> > I haven't commented on this before, but the reason I find this
> > solution lacking is that most mailman lists (in my
> experience) don't
> > require list admin permission to join. If this is the hurdle, as a
> > spammer I'd just create a hotmail account that I can automatically
> > subscribe to any mailman mailing list, and then gain access to the
> > honeypot.
>
> This hits another aspect of my design philosophy. Don't sweat
> making one part of the system more secure than the other parts.
>
> In this case, you hit a nail on the head. If a spammer
> really, really wants your subscribers, we can't stop him.
> They can simply subscribe to a list and harvest it as it
> comes across. Unless you choose to anonymize every bloody
> message -- a spammer will win if they're motivated enough,
> and a smart spammer will do so in a way you'll never find.
> Like setting up a hotmail address for each list, so you can't
> see that all 30 lists have the same address in common, and
> simply reading messages as they come by.
>
> And since, inherently, you can't stop THAT, it makes no sense
> to make archives more secure than that. Any spammer smart
> enough to be willing to subscribe to a list to do their
> harvesting, you're going to have a very tough time stopping.
> Basically, you have to get lucky or hope they make a mistake
> or some sort.
>
> So since you can't make the subscription process more secure
> than that -- why try to make the archives more secure than
> the subscription process? It's extra work for no real gain,
> because any spammer will a clue will go through the patio
> door in the backyard instead of the front door with the three
> deadlocks and the security gate...
>
>
> --
> Chuq Von Rospach, Architech
> chuqui@plaidworks.com -- http://www.chuqui.com/
>
> Yes, I am an agent of Satan, but my duties
> are largely ceremonial.
>
>
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers@python.org
> http://mail.python.org/mailman/listinfo/mailma> n-developers
>