On Wed, Feb 20, 2002 at 10:15:33AM -0800, Chuq Von Rospach wrote: > On 2/20/02 9:31 AM, "Jay R. Ashworth" <[EMAIL PROTECTED]> wrote: > > But I still think it's important to keep firmly uppermost in our minds > > here that the spam is not *caused* by the mailing list. > > > > Nor is it caused by Google > > > > It's *caused* by the spammers. > > And burglary is not caused by my owning nice things, either. It's caused by > burglars. But that's no excuse to not put locks on the doors.
A mailing list -- a publically accessible mailing list -- isn't your house. It's the city library. Those are typically not locked up as tightly your house, during the day. > > I realize that we have practical considerations to deal with which are > > much closer to our feet, but I think that it's quite important that we > > don't lose sight of the forest for the trees. > > See, here's our disagreement here. You're saying "put the damn burglars in > jail already!" and I'm saying "I agree, but until that's done, I still think > I'm installing that deadbolt on the front door". > > You're right, Jay, but does being right matter? Unless you know how to stop > the spammers, it's a pyhrric victory -- because it does nothing to protect > yourself from the spammers. *I* protect *myself* from the spammers, actually, thank you very much. Perhaps that sounds elitist. So be it. > Even with a good deadbolt, burglaries still happen. Is that an excuse not to > put the deadbolt on in the first place? No. Well, again: would you deadbolt the public library? > > I personally can't think of any method of programmatically obscuring > > email addresses that can't be programmatically reversed. > > Have you seen what slashdot is doing? I think it has promise, because while > it's still reversible programmatically, it makes it much more difficult to > do. Will they still get harvested? Most likely. But not nearly as quickly as > most other sites, and it's going to make the spambots crazy trying to eat > each page looking to figure out if it knows which obfuscation to > de-obfuscate. Actually, no, I haven't bothered with /. in some time... I'll take a look. [ looks ] Hmmm... there are a couple of ways that you *don't* want to despam an adress; hope they didn't hit any of them. > But I've been thinking about this, and I want to throw a couple of ideas > out. I'm speaking just of the admin-access issue, not archives. > > Admin-access has three components to it, all in conflict. > > 1) The list admin needs to be accessible to everyone, not just subscribers. > > 2) the list admin shouldn't be an open target to spam. > > 3) Someone has to be accessible for problem reports even if the Mailman > system is malfunctioning. > > That third point is a bit of a shift. I've come to the thought (and we can > argue it) that LIST admins don't need to be accessible if MAILMAN fails. The > MAILMAN admin does. And I think the chances are good that the MAILMAN admin > is more likely than not also the person who gets abuse@, root@, postmaster@, > so the SITE admin mailbox is already wide open to all these idiots. Making > it wide open to mailman spam simply isn't significant. I don't need to argue it; I concur: if the server falls over, the server admin is the target. And yeah, they should be wearing armor already. > That, basically, allows us to stuff mailtos somewhere pointing to an address > you can mail to to report site failures. I'll even go farther and say that > address can simply be on a web page, not linked to a Mailto, and if you > really, reallly want, obscure it further as a JPG or something. But I think > that's all overkill, given that spammers now automatically spam > root/postmaster/etc on domains anyway. > > That takes care of the "access in case of failure" mode, mostly by, frankly, > simply annointing ONE person (the site admin) as "it" for open access. Not > great, but it's sure better than making all admins deal with it. No problem there. > That then allows us to deal with (1) and (2). Which means we can now put > admin access behind some kind of web interface. And - we already have 80% of > that, in the current admin interface. > > So I recommend this: > > You no longer advertise admin's real addresses. Instead, you advertise a > feedback that sends messages to the admin, to discourage mailing directly. > A year ago, I probably would have insisted on SOME kind of email contact > point, but frankly -- the percentage of users who can't use a web page is > pretty much zero now. This is, alas, a different topic. When I send a complaint to someone about something, *I want a copy of that message in my outbox*. I *hate* mail forms. With an unbridled, flaming passion. They usually don't spell check; they don't get my sig file, etc, etc, ad nauseum. I can at least tolerate it, if you'll carbon me a copy, but it's still suboptimal. > And since 2.1 has better filtering capabilities, we get those filtering > capabilities for free on incoming admin email. And this stuff isn't thrown > in an admin's mailbox -- it's dealt with as part of the normal admin list > functions, reducing the interruption/hassle factor. And the admin addresses > won't end up in spammer databases, because they no longer exist. Now *that* part, I like. > Thoughts? It's not perfect, but now only one guy is "it", and the admins are > accessible but protected -- and can better separate their list-admin "me" > from their real "me" on top of it. And the site admin is more likely IMHO to > be capable of managing their mailbox from spam than forcing all list admins > to learn how to do that... Personally, I'm a little tired of "But I'm too lazy" (to learn how to set up spam filters) being an acceptable excuse. If you can't find someone to run your list with a clue, then maybe you shouldn't have a list. But that's why *I'm* not the Mailman product line manager. :-) Cheers, -- jra -- Jay R. Ashworth [EMAIL PROTECTED] Member of the Technical Staff Baylink RFC 2100 The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274 "If you don't have a dream; how're you gonna have a dream come true?" -- Captain Sensible, The Damned (from South Pacific's "Happy Talk") _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers
