[Mailman-Developers] Interesting study -- spam onpostedaddresses...

Damien Morton dm-temp-310102@nyc.rr.com
Thu, 21 Feb 2002 13:32:44 -0500 

Interestingly enough, the first place I ever saw the reverse turing test
in use was in the signup for a yahoo account.

"This step helps Yahoo! prevent automated registrations."
http://edit.my.yahoo.com/config/eval_register?.partner=&.intl=us&.src=my
&.last=

The objective should be to raise the cost of harvesting. As you say, it
cant be prevented, but forcing a human into the loop can raise the cost
substantially.


> -----Original Message-----
> From: mailman-developers-admin@python.org 
> [mailto:mailman-developers-admin@python.org] On Behalf Of 
> Chuq Von Rospach
> Sent: Thursday, 21 February 2002 12:24
> To: Dale Newfield; mailman-developers@python.org
> Subject: Re: [Mailman-Developers] Interesting study -- spam 
> onpostedaddresses...
> 
> 
> On 2/21/02 8:28 AM, "Dale Newfield" <dale@newfield.org> wrote:
> 
> > On Thu, 21 Feb 2002, Damien Morton wrote:
> >> Making a private archive available to those who are list members
> > 
> > I haven't commented on this before, but the reason I find this 
> > solution lacking is that most mailman lists (in my 
> experience) don't 
> > require list admin permission to join.  If this is the hurdle, as a 
> > spammer I'd just create a hotmail account that I can automatically 
> > subscribe to any mailman mailing list, and then gain access to the 
> > honeypot.
> 
> This hits another aspect of my design philosophy. Don't sweat 
> making one part of the system more secure than the other parts.
> 
> In this case, you hit a nail on the head. If a spammer 
> really, really wants your subscribers, we can't stop him. 
> They can simply subscribe to a list and harvest it as it 
> comes across. Unless you choose to anonymize every bloody 
> message -- a spammer will win if they're motivated enough, 
> and a smart spammer will do so in a way you'll never find. 
> Like setting up a hotmail address for each list, so you can't 
> see that all 30 lists have the same address in common, and 
> simply reading messages as they come by.
> 
> And since, inherently, you can't stop THAT, it makes no sense 
> to make archives more secure than that. Any spammer smart 
> enough to be willing to subscribe to a list to do their 
> harvesting, you're going to have a very tough time stopping. 
> Basically, you have to get lucky or hope they make a mistake 
> or some sort.
> 
> So since you can't make the subscription process more secure 
> than that -- why try to make the archives more secure than 
> the subscription process? It's extra work for no real gain, 
> because any spammer will a clue will go through the patio 
> door in the backyard instead of the front door with the three 
> deadlocks and the security gate...
> 
> 
> -- 
> Chuq Von Rospach, Architech
> chuqui@plaidworks.com -- http://www.chuqui.com/
> 
> Yes, I am an agent of Satan, but my duties
> are largely ceremonial.
> 
> 
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers@python.org 
> http://mail.python.org/mailman/listinfo/mailma> n-developers
>