Re: Regarding all the spam...
Boyle Owen wrote: -Original Message- From: Ben Laurie [mailto:[EMAIL PROTECTED] I disagree. I've lost the thread... You want to limit posting to subscribers only or you don't? I don't. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
On Mar 2, 2004, at 8:37 PM, Joseph Bruni wrote: I don't know about that. During the latest Windows exploit virus blast (when are they going to fix their stuff?) I kept getting bombed by AV bounces aimed at openssl-users-l. Not to mention that the list was DOWN during that time as well. A good number of my posts just got timed out by my legitimate SMTP relay. On Mar 2, 2004, at 2:15 PM, L Nehring wrote: Have we now crossed the threshold where there are more off-topic messages discussing spam than spam messages themselves? There just doesn't seem to be a real need to take any action at all given the small number of UCE or antivirus bounce messages. To put some concrete numbers on this, my mail logs note rejecting 24 messages MAIL FROM: [EMAIL PROTECTED] in the past month, and I have 14 more in my junk folder. So no, we most certainly have not crossed that threshold. Scott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Regarding all the spam...
-Original Message- From: Scott Lamb [mailto:[EMAIL PROTECTED] The spammer who zapped the mod_ssl list (see http://marc.theaimsgroup.com/?l=apache-modsslr=1b=200403w=2) has now moved onto this list (see content-free mail apparently from rse...) Can someone with admin powers block these spams? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
Boyle Owen wrote: -Original Message- From: Scott Lamb [mailto:[EMAIL PROTECTED] The spammer who zapped the mod_ssl list (see http://marc.theaimsgroup.com/?l=apache-modsslr=1b=200403w=2) has now moved onto this list (see content-free mail apparently from rse...) Can someone with admin powers block these spams? This is no spam, but, according to our mail virus scanner, a worm named WORM_NETSKY.B. Btw, how can a content-free mail be spam? ;-) Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
(openssl-users) This is way off-topic, so let me apologize in advance. Here's some of my own email numbers to give a piece of my perspective of the talk about spam on the openssl list and why I just don't see a real problem. I run a pair of email servers on a very small domain that serves about 10 live users. I received a total of 21204 emails in the past month for the domain. In that time frame, I quarantined 1626 messages containing viruses, 3671 messages were rejected, 1267 messages bounced, and 1431 messages were marked as spam. Maybe my threshold for pain is higher than normal, but if I were to get just 24 or even less than 50 rejected|spam|virus messages per day, I would be checking my email servers for misconfiguration or compromise. Doesn't matter where the bad messages actually come from anymore, since it's becoming a given that the 'mail from:' address is invalid or spoofed. I can't imagine that a change that restricts who might post to the openssl list would have any noticeable effect on email in my little domain or anywhere else. It might be better to petition the antivirus vendors to remove the arcane/useless bounce notification feature (that has become a serious source of spam). If a person didn't know they sent a virus, they probably aren't going to know what to do if they're notified about it. I they did know they sent a virus, then they aren't going to care... More likely however, is that the person didn't send any original virus message at all and was just unlucky enough to have their address spoofed so that they would end up with a mysterious bounce message. .this could be exploited in a similar manner to an ICMP smurf attack - if you want to mail-bomb somebody just mass mail a virus-laden email with the from address of your target. Doesn't matter what the virus is or what it does as long as it's detected and triggers an automatic response. Probably works better if the mass mailing includes mail lists in increase the amount of AV notices sent to the target. Again, I apologize again for being off-topic. I'll copy this post over the the Full-disclosure list to let the thread continue there. Scott Lamb wrote: On Mar 2, 2004, at 8:37 PM, Joseph Bruni wrote: I don't know about that. During the latest Windows exploit virus blast (when are they going to fix their stuff?) I kept getting bombed by AV bounces aimed at openssl-users-l. Not to mention that the list was DOWN during that time as well. A good number of my posts just got timed out by my legitimate SMTP relay. On Mar 2, 2004, at 2:15 PM, L Nehring wrote: Have we now crossed the threshold where there are more off-topic messages discussing spam than spam messages themselves? There just doesn't seem to be a real need to take any action at all given the small number of UCE or antivirus bounce messages. To put some concrete numbers on this, my mail logs note rejecting 24 messages MAIL FROM: [EMAIL PROTECTED] in the past month, and I have 14 more in my junk folder. So no, we most certainly have not crossed that threshold. Scott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
Rich Salz wrote: I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. In the past -- at least, say, 2-3 years ago -- we had a couple of anonymous posters who made very worthwhile contributions. Haven't seen that recently. Also, it used to be in the spirit of crypto open source (cypherpunkcs, etc) to allow anon posting because of the whoele ethos thing. Probably not worth supporting any more. I disagree. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Regarding all the spam...
-Original Message- From: Ben Laurie [mailto:[EMAIL PROTECTED] I disagree. I've lost the thread... You want to limit posting to subscribers only or you don't? BTW, the mod_ssl list has been swamped by some spammer. Would this list be immune to these posts (the spammer is craftily spoofing the From field..) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
Rich Salz wrote: Probably not worth supporting any more. Ben Laurie wrote: I disagree. Ben's voice carries way more weight than mine :) I stand down... /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
On Feb 24, 2004, at 9:55 AM, Rich Salz wrote: I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. In the past -- at least, say, 2-3 years ago -- we had a couple of anonymous posters who made very worthwhile contributions. Haven't seen that recently. Also, it used to be in the spirit of crypto open source (cypherpunkcs, etc) to allow anon posting because of the whoele ethos thing. I think there's a huge distinction to be made between disallowing anonymous posting and disallowing non-moderated posting by non-members. You can easily register a hotmail account or whatever and join the mailing list anonymously. In fact, anonymity has _nothing_ to do with whether you are a member of the mailing list or not. Scott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
On Tue, Mar 02, 2004 at 11:47:43AM -0600, Scott Lamb wrote: On Feb 24, 2004, at 9:55 AM, Rich Salz wrote: I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. In the past -- at least, say, 2-3 years ago -- we had a couple of anonymous posters who made very worthwhile contributions. Haven't seen that recently. Also, it used to be in the spirit of crypto open source (cypherpunkcs, etc) to allow anon posting because of the whoele ethos thing. I think there's a huge distinction to be made between disallowing anonymous posting and disallowing non-moderated posting by non-members. You can easily register a hotmail account or whatever and join the mailing list anonymously. In fact, anonymity has _nothing_ to do with whether you are a member of the mailing list or not. a hotmail account might be considered a handy tool but it hardly could be regarded as anonymous. Please take a look at mixmaster.sf.net (the tool) and network of remailers running around. There was mixmaster protocol ietf draft published recently It is not quite clear whether there's a chance to both accept mail from remailers and kill the junk regards, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
Vadim Fedukovich wrote: a hotmail account might be considered a handy tool but it hardly could be regarded as anonymous. Please take a look at mixmaster.sf.net (the tool) and network of remailers running around. There was mixmaster protocol ietf draft published recently That was the or whatever. ;) You can be as thorough as you like, but registering a random hotmail account and perhaps sending mail from a public place is frequently good enough. (I personally don't see the need for perfect anonymity when posting questions about an API, even a security-related one.) I don't see why using an anonymous remailer for greater protection would be any different - IIRC they support creating a consistent pseudonym and sending and receiving many mails to/from it. It is not quite clear whether there's a chance to both accept mail from remailers and kill the junk I think just simply requiring people to be list members before posting would be enough to make a big impact. This would completely stop the you sent us a virus messages that Robin Lynn Frank mentioned. Anti-virus software is not going to subscribe to the mailing list first; if its makers had realized these messages would be sent to mailing lists, they wouldn't be sending them at all. And while spammers _could_ subscribe to mailing lists before sending a bunch of spam, they typically don't, based on my experiences with other lists. regards, Vadim Thanks, Scott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
Have we now crossed the threshold where there are more off-topic messages discussing spam than spam messages themselves? There just doesn't seem to be a real need to take any action at all given the small number of UCE or antivirus bounce messages. r, Lance __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
I think just simply requiring people to be list members before posting would be enough to make a big impact. You dont necessarily have to force people to become members. Just ensure that all anonymous posts are be moderated, and the problem is solved. The spam, viruses and anonymous posts get redirected to one administrators inbox, who agrees to put up with them, and legit anonymous posts are allowed into the list from there. Everyone is happy. I've set this up for a couple of lists I manage after problems with spam, and it works well. I do agree with Lance, though, about the irony of the fact that we're generating more mail discussing this than the spammers themselves :) -Patrick -- RedHerring: Linux wiki support and tutorials http://covox.sepwich.com/linux CECID: The CEnsorship CIrcumvention Device http://cecid.sf.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
I don't know about that. During the latest Windows exploit virus blast (when are they going to fix their stuff?) I kept getting bombed by AV bounces aimed at openssl-users-l. Not to mention that the list was DOWN during that time as well. A good number of my posts just got timed out by my legitimate SMTP relay. On Mar 2, 2004, at 2:15 PM, L Nehring wrote: Have we now crossed the threshold where there are more off-topic messages discussing spam than spam messages themselves? There just doesn't seem to be a real need to take any action at all given the small number of UCE or antivirus bounce messages. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
On Tue, Feb 24, 2004 at 01:27:05PM +0100, Richard Levitte - VMS Whacker wrote: I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. get someone to moderate the list - problem solved. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
In message [EMAIL PROTECTED] on Tue, 24 Feb 2004 13:32:40 +0100, Mads Toftum [EMAIL PROTECTED] said: mads On Tue, Feb 24, 2004 at 01:27:05PM +0100, Richard Levitte - VMS Whacker wrote: mads mads I think I misunderstood that question. I honestly don't know what we mads would lose. Maybe a sense of openness. mads mads get someone to moderate the list - problem solved. *cough* you do know what you're talking about, right? - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
In message [EMAIL PROTECTED] on Tue, 24 Feb 2004 12:59:37 +0100, Lyngmo Ted [EMAIL PROTECTED] said: ted.lyngmo Is it possible to post messages to the mailing list ted.lyngmo without being a member? Yes, openssl-users is completely open. ted.lyngmo If so, what would we lose by changing that? Some people will have their responses go to [EMAIL PROTECTED] You will miss those replies. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
In message [EMAIL PROTECTED] on Tue, 24 Feb 2004 12:59:37 +0100, Lyngmo Ted [EMAIL PROTECTED] said: ted.lyngmo If so, what would we lose by changing that? I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Regarding all the spam...
Richard Levitte wrote: Ted Lyngmo wrote: Is it possible to post messages to the mailing list without being a member? If so, what would we lose by changing that? I honestly don't know what we would lose. Maybe a sense of openness. True, but considering how easy it is to become a member, my suggestion is that posting to the list is made available for members only. Kind regards, Ted Lyngmo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
On Tue, Feb 24, 2004 at 01:40:03PM +0100, Richard Levitte - VMS Whacker wrote: mads get someone to moderate the list - problem solved. *cough* you do know what you're talking about, right? yes. Allow members to post and only non-members if moderated through - I wouldn't suggest it if I didn't do the same for other lists already. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
In message [EMAIL PROTECTED] on Tue, 24 Feb 2004 13:54:57 +0100, Mads Toftum [EMAIL PROTECTED] said: mads On Tue, Feb 24, 2004 at 01:40:03PM +0100, Richard Levitte - VMS Whacker wrote: mads mads get someone to moderate the list - problem solved. mads mads *cough* you do know what you're talking about, right? mads mads yes. Allow members to post and only non-members if moderated through - mads I wouldn't suggest it if I didn't do the same for other lists already. Ah, that form. Sorry, got confused... - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Regarding all the spam...
I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. In the past -- at least, say, 2-3 years ago -- we had a couple of anonymous posters who made very worthwhile contributions. Haven't seen that recently. Also, it used to be in the spirit of crypto open source (cypherpunkcs, etc) to allow anon posting because of the whoele ethos thing. Probably not worth supporting any more. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Regarding all the spam...
This chain of email regarding SPAM originated with the topic to reduce the SPAM in this group email... The only way to moderate a group email list is to formalize the method of how it is delivered. If interested people are asked to join as a member, they can be turned off if proved to be malicious. Otherwise, anyone can keep sending emails with bad intent in any email name from yahoo, msn, etc. If they are forced to sign-up each time, they will eventually go pick on another email group. In addition, if enough interest is responding, I can post a Bulletin Board for topics, and people can choose to go there instead of through group email listings. I otherwise agree that non-members need to become members to post. Best Regards; Ken Hackenberg [EMAIL PROTECTED] www.xzone9.com AOL IM- khkenberg (480) 726.8579 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lyngmo Ted Sent: Tuesday, February 24, 2004 5:41 AM To: [EMAIL PROTECTED] Subject: RE: Regarding all the spam... Richard Levitte wrote: Ted Lyngmo wrote: Is it possible to post messages to the mailing list without being a member? If so, what would we lose by changing that? I honestly don't know what we would lose. Maybe a sense of openness. True, but considering how easy it is to become a member, my suggestion is that posting to the list is made available for members only. Kind regards, Ted Lyngmo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]