On Wed, Nov 13, 2002 at 09:38:33AM -0500, Justin S. Peavey <[EMAIL PROTECTED]> is thought to have said:
> Welcome to BBLISA! Your concerns above are noted. Our subscriber > policies date back from before majordomo (or other popular listserv > agents) handled 'confirmed' addresses; and we have seen no real need > to change them to this point. Additionally, but we also have > open-posting policies that do not require you to be a member to post, > so confirmed-addresses really will not assist in spam reduction. We > have Majordomo configured in a way that requires matching of your > subscriber address to your actual sent-address (alleviating the > "accidentally subscribe from wrong address" problem), with exceptions > requiring approval from an administrator. We also have some very > aggressive anti-spam code in place thanks to our sysadmin, Theo Van > Dinter, that catches well over 95% of attempted spam postings to the > list. > > We have entertained changing list policies at several meetings, but to > date the general consensus has been "it's working and it's > convenient"; especially the ability to post to the list from a variety > of email addresses. Justin, While the issue of open list posting is one that can be debated, I cannot think of even a single reason why running a mailing list manager that is not configured to confirm subscriptions is considered acceptable. The point is not to protect the legitimate subscribers of bblisa's mailing lists from spam, the point is to protect everyone else on the net from being maliciously subscribed to a list without their permission. Consider what would happen if someone forged subscription requests for even as few as 20-30 random victims email addresses (particularly those of technically unsophisticated internet users). On the first post sent to the list, spam or no, the list would quickly fill up with requests from these people to be removed, or would end up being reported to their own ISPs as spam (and really it is because they certainly didn't sign up for it). Seem unlikely? It isn't. I've seen exactly this happen with lists hosted at what used to be Shore.Net in 1996 when people exploited our open list server to abuse others. 1996! Frankly I'm surprised that in 2002, amongst a group of technically clued folks, a version of Majordomo which is configured *by default* to require confirmations has been setup to allow anyone to forge a subscription to anyone else. I would encourage everyone on this list to take a few minutes and read over MAPS' BCP document for list management at http://www.mail-abuse.org/manage.html and take the appropriate actions to secure *any* mailing list they have control over. We of all people should be setting the standard for best practices where list management is concerned. And we should strive to help other list managers secure their lists where we find them as well. So, uh, that would be a vote to change all of the bblisa lists to require confirmations. :) Tabor -- -------------------------------------------------------------------- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality --- Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. Mail administrative requests to `[EMAIL PROTECTED]'.
