[Mailman-Developers] Interesting study -- spam on postedaddresses...

Chuq Von Rospach chuqui@plaidworks.com
Thu, 21 Feb 2002 17:36:34 -0800 

On 2/21/02 5:25 PM, "John Morton" <jwm@plain.co.nz> wrote:

>> Nobody has bothered to do this YET. That we know of. But the spamhacks are
>> evolving rapidly.
> 
> Well, let's find out shall we? Set up a honeypot private list containing a
> collection of free mail accounts, then cycle through the account every week
> checking for spam and making some postings to keep the traffic up. Enough
> with the armchair anthropology, already!

Um, John? I've been doing that for months. It's a standard tactic I use to
test for archive harvests. No offense, but given I'd already thought of the
"subscribe and harvest" attack, wouldn't you think I also would have looked
for ways to detect it?

I just don't like to talk about it. One has to think the harvesters are
listening. I don't like giving away too many secrets -- but at the same
time, it's something we have ot share ideas and concepts over...

> So basically you need to deploy a countermeasure, monitor it's effectiveness,
> and deploy another when it fails. Repeat for as long as you consider it
> important, or can tolerate not resorting to private archives, and
> establishing better trust relationships with the subscribers.

Yup. Sounds familiar.

>> Fact is, if they want your subscribers, they can get them. Or more
>> correctly, your subscribers that post -- but if everyone lurks in fear, why
>> hav a mail list?
> 
> I think we all need to take a deep breath and say 'It's only junkmail'.
> They're not spending up large on your credit card or pouring sugar into your
> gas tank. 

I won't argue. I expect Jay will pop up shortly and do it for me. Which is,
I think, the point. Just because you aren't too sensitive to the mail
doesn't mean others aren't -- so we have to keep all of the views in mind.
And this is a case where I actually side more on your view, but still
understand the need to manage this for those that don't have my tolerance
level.

> It's probably one of the top three or four already. Do listserv and majordomo
> admins have a major spam problem?

Majordomo I did. Majordomo II? I dunno. Ditto listserv. I simply haven't
looked.

> (of course you have to publish the mailing list address, so you can deduce
> the admin address from that...:-)

Only if you don't change them. Making them standard might not be a good
idea, once they're hidden behind contact forms.

> The problem with obscurity as a security tool is that it's not reliable.

It only works until it fails, and then you can't fix it. And I've found it
invariably fails at 10PM on a Friday night, when you're about to leave for
the weekend -- unless it's 2PM on a Thursday with a Friday deadline.

> Obscurity is useful. In our case, it's the only prevention tool we have.

I'm not sure obscurity is the right word. Most of what we're talking about
is more of a cloaking effort.


-- 
Chuq Von Rospach, Architech
chuqui@plaidworks.com -- http://www.chuqui.com/

The first rule of holes: If you are in one, stop digging.