Hi Sasha, On Fri, Sep 05, 2014 at 10:15:34AM -0600, Sasha Pachev wrote: > Back in the old days we did this with the MySQL list - if the message > does not contain a set of "magic" keywords that would frequently > appear in a legitimate message, we reply to the poster telling him to > include those. He could just reply and the message would go through. I > do not recall that we checked first to see if the poster was > subscribed, but we should have.
While that could have worked in the old days where users only used to send messages by hand, now people also use git send-email to send a series. For example, Simon uses that to propose his work to be integrated and that's the proper way to work. So this method risks to block one or two messages in a series, and that's really problematic because it requires manual handling of something usually totally automated (ie: mail subject is taken directly from the Git commit). > So in that spirit but with some improvements one solution could be: > > - if the poster is subscribed or is on the white list of posters (we > can generate this by examining if he had posted before, received a > reply, and then replied to the thread again - to exclude > auto-responders to spam) let the message through > - if not send him back some kind of a challenge > > Maybe to avoid auto-reply bots, the challenge could be intelligent, > e.g randomly generate a short Perl script or a C program and ask the > user to respond with the output. That's already too much for a user wanting to report a bug. We don't want to discourage users from posting. When I discuss with end users, many, I really mean *many* tell me "I faced an issue with X or Y, I'm not sure, etc". I say "please post your bug to the ML so that we can work on it". They almost never do it. This is not specific to this list, people do exactly the same with the kernel mailing list. Most people are shy with mailing lists, and many newcomers have to be almost raped to accept to post a message. The smallest stopper you put in front of them and they'll give up. I already checked in the past, and more than half of the 800+ permanent subscribers have never posted. > Of course, a spam bot author could > rather easily create special logic to figure out that output, but > chances are he is not going to bother. But if he does, we can punish > him by adding the logic to detect his address and in that special case > send the code that takes control of his system, gathers info on all of > his spam systems, and shuts down all of them if he forgets that he > needs to execute the code we send him in a chrooted jail or some other > safe environment. I'd see it differently : if he wants to automate that, let's have him post his crap to feed gmail spam boxes once in a while, and not bother legitimate users with unneeded controls. Willy
