[Mailman-Users] confimation system for outside postings

[Brad Knowles]

At 1:08 PM +0200 2005-05-17, Andreas Jellinghaus wrote:

>  is there any mailman extension that implements a challange / confirm based
>  system for outside postings? I guess that would stop spam very well, and
>  neither cause much work for the listadmin, and would be very comfortable
>  for the occasional poster (that might read the mailing list via 
>gmane and thus
>  is not subscribed).

	TMDA is a challenge-response system, and is one of the most 
loathed attempts to "solve" the anti-spam problem.  Among other 
things, it turns you into a spam amplifier -- someone sends you 
millions of spam messages in the name of some other poor sap, and 
your system sends back millions of challenges which bury his mail 
server.

	Even if you solve the "Joe Job"/spam amplification problem, 
someone can joe-job you and send out millions of spams in your name, 
and when people complain to you or the spam bounces (because the 
recipient address was invalid), your mail machine gets buried trying 
to send out all those challenges.

	Bad idea.  Really bad idea.  Really heinously bad idea.  In fact, 
I can't think of any worse ideas I've heard of in this field.


	However, if you just have to get an idea of how bad it is, take a 
look at one example of how to get Mailman working with TMDA at 
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq06.007.htp>.

	Keep in mind that I help run the mailman-users and 
mailman-developers mailing lists, as well as the mail services for 
python.org and a number of other sites, and this set of instructions 
scares the willies out of me.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.