List-Managers: Re: list protection

List-Managers
(March 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: list protection
From:	Brent Chapman <Brent @ GreatCircle . COM>
Date:	Thu, 27 Mar 1997 15:48:21 -0800
To:	"D. J. Bernstein" <djb @ koobera . math . uic . edu>, list-managers @ greatcircle . com
In-reply-to:	<19970327210651.26588.qmail@koobera.math.uic.edu>

At 9:06 PM +0000 3/27/97, D. J. Bernstein wrote:
>Destroying the reliability of Internet mail won't stop spammers.
>
>Need a particular spelling in the From line? No problem; they'll copy
>the spelling. Need a complete header? No problem; they'll copy someone's
>complete header. Doing some Received tests? No problem; they'll send
>mail through one of the >100000 SMTP servers that don't record sources.
>Doing ``administrativia'' tests? No problem; they'll filter the same
>words that you do.
>
>A year later you find yourself surrounded by half-assed ``security''
>mechanisms that make life difficult for normal users (``sorry, folks,
>can't send mail to the list unless you want anyone to be able to destroy
>your subscription'') while the unsolicited commercial e-mail continues
>to pour in.
>
>I've set up a mailing list to discuss attacks against mailing lists and
>mailing list subscribers, and to discuss methods of protecting against
>attacks. To join, send a message to
>
>   djb-list-protection-subscribe@koobera.math.uic.edu
>
>Unlike the list-abuse mailing list, list-protection is open, with
>archives available to anyone who wants to see them. We need security
>mechanisms that _don't_ rely on Chapman-style obscurity.

The administrivia filters that you tripped over have been in Majordomo
since well before spam started to become a problem on the net; they are
intended primarily to deal with naive users sending requests to the list
posting address.  You'd be amazed at how much of that our administrivia
filters catch.  Sure, they could be better.  It would be nice if they
caught _all_ the administrivia and _only_ the administrivia, but as it
stands they're better than nothing; they catch most of the administrivia,
and don't catch much that's not administrivia.

Accepting posts from subscribers only _has_ been very effective at cutting
down the amount of spam sent to List-Managers.  I haven't (yet) had a
problem with spammers forging email from me; I HAVE had a problem with YOU
forging email from me.

When you figure out your perfect solution, let us all know; I'm sure we'll
all want to take a look at it.  In the mean time, we'll just keep making do
with what's available today, and we'd appreciate it if you wouldn't go out
of your way to make a nuisance of yourself.

-Brent

--
Brent Chapman			Internet/intranet training and consulting,
Brent@GreatCircle.COM		specializing in network design and security.
Great Circle Associates,Inc.	Visit us at http://www.greatcircle.com/

Follow-Ups:

Digest size problem
From: "Amy Stinson" <amys@iquest.net>

References:

list protection
From: "D. J. Bernstein" <djb@koobera.math.uic.edu>

Indexed By Date	Previous:	Can we approach att.net admins? From: "Gess Shankar" <gess@earthchannel.com>
Indexed By Date	Next:	Re: Can we approach att.net admins? From: Chuck Foster <mail-list-managers@elists.mail.pipex.net>
Indexed By Thread	Previous:	list protection From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
Indexed By Thread	Next:	Digest size problem From: "Amy Stinson" <amys@iquest.net>