--- begin forwarded text Date: Fri, 27 Dec 1996 00:01:40 -0800 From: Chuq Von Rospach <chuqui@plaidworks.com> Subject: Re: Forged addresses To: listmom-talk@skyweyr.com Mime-Version: 1.0 Precedence: Bulk Reply-To: listmom-talk@skyweyr.com At 8:55 PM -0800 12/25/96, Joshua D. Baer wrote:
Do you mean that new subscribers will not be allowed to post until they get personal "approval" from the listmaster? What lists would you implement this on? I'd be worried about scaring new people off... it might make people afraid to post.
Actually, a two-level beast. *All* lists become moderated. Every posting that's not from a validated moderator therefore goes to the moderator for approval. If someone on the list wants to post without delays, they can become moderated, thereby becoming a "moderator". Users don't have to -- but put up with posting delays until the moderator comes into the loop. It's somewhat more work for me as moderator. It's a significantly reduced noise level for the list. It forces a positive acceptance of the list rules before someone can post to the list, so this "stupidity by ignorance" goes away -- it also stops the subscribe-and-spam hit and runs, of which I've been nailed by two this month (those are new. Spammers traditionally haven't been smart enough to subscribe, so the non-subscriber limitation has nuked them. These two subscribed, then one set up an auto-bot on his address to respond to every bloody message on the lists with his ad -- to the list. 90 messages later... The other guy just subscribed and started blatting. Both, once I had chats with their postmasters and webmasters, found themselves no longer with email or web addresses, but...) It has, literally, gotten to the point where I can no longer assume that someone can: a) type in their email address correctly. b) read instructions. c) follow instructions. d) behave. so I'm having to revamp my systems to protect them from this new class(es) of internet user. The days of laissez-faire administration are dead. The braindead, the novice blunderer and the spammer have killed them. Sad but true. So to cut out the Spammers and the folks who have no clue what their email is, my systems will be going to the confirmation-reply-before-subscribe setup. The bogus addresses will bounce before subscription, and the spammers will only be able to send them single pieces of e-mail, not sign them up. It's *more* hassle for end-users and reduces ease of use, but sometimes, you have to make things a little tougher for the good of everyone. You can make things too easy, and unfortunately, things are too easy for the spammers, so everyone has to suffer a little bit to put THOSE idiots back in the sewer (while I was gone, there was a major spam attack using plaidworks, to the tune of about 25 addresses. Fairly sophisticated in some ways, but mostly, they knew when I wasn't looking and got around my traps. We're backtracking them as we speak, but in one case, they seem to have broken into a machine to send the spam attack, so it'll be tough...) And to cut out the babblers and other idiots who don't believe they need to behave, be polite, follow rules or whatever, I'm going to make all lists moderated, and then extend moderation priviledges to the "trusted" set of users. That's one way of pulling this off without having to rewrite the list servers, as long as they support multiple moderators. Oh, and on the topic of spammers, here's a warning: some of the spammers seem to have a new, amusing hack: they're forging email aimed at MAILBOTS (like info@plaidworks.com -- and doesn't just about *every* site have at least one mailbot these days?) such that the bot responds to the person being spammed. This one's fairly noxious, because there's no subscription or anything, and generally no address validation (how can you validate addresses coming to a mailbot? Um, you can't, basically), and I don't know about you, but I don't log mailbot requests. Well, I will starting tomorrow... Anyway -- if you have mailbots, be aware that people might be starting to use them as attacks, also. It requires more work from them, given that mailbots only send one message per incoming, but if you can build a script that sends mail to 1,000 sites and their info@ address, I'm not sure the person being spammed will realize that it could have been *worse*. And suggestions on how to continue to make mailbots available AND make them reasonably safe encouraged. Logging incoming so you can backtrack headers and try to nail the spammer is at least one way to keep it relatively honest, but I'd rather stop it than patch it together again. That gets tired... -- Chuq Von Rospach (chuq@solutions.apple.com) Software Gnome Apple Server Marketing Webmaster <http://www.solutions.apple.com/> Plaidworks Consulting (chuqui@plaidworks.com) <http://www.plaidworks.com/> (<http://www.plaidworks.com/hockey/> +-+ The home for Hockey on the net) I got no name or number/ I just hand out the lumber. But if I get a chance to play/ I'm going to show 'em. -- Stick Boy (The Hanson Brothers, SUDDEN DEATH) --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox, e$, 44 Farquhar Street, Boston, MA 02131 USA "The cost of anything is the foregone alternative" -- Walter Johnson The e$ Home Page: http://www.vmeng.com/rah/