Re: Fwd: Please confirm your message
On 2002-12-03, Adam McKenna [EMAIL PROTECTED] wrote: Please enlighten me, anyway: Why is bouncing the full body of the mail you received from a person who claims to be Adam back to Adam a good idea? This is an implementation issue, not a philosophical issue. This is correct. The system still needs to have the sender acknowledge that the message she sent is the one she is replying to, which requires at sending at least a little of the message back; pieces of which can be spam sent from a malicious user. TMDA source says so, too, in the comment to AUTORESPONSE_INCLUDE_SENDER_COPY. Since I only use TMDA I can't speak for others but TMDA has a CONFIRM_MAX_MESSAGE_SIZE configuration variable, which will exclude the body of the message from the confirmation request if its size exceeds the defined value. The default is 50k. Right, and in TMDA there is also MAX_AUTORESPONSES_PER_DAY, which only seems to consider messages per sender. I'm not quite convinced that such a setup can not be abused as a spam reflector, useless as it may be (it bounces the full headers), other than annoying a lot of people. (-: -- Andreas Fuchs, [EMAIL PROTECTED], [EMAIL PROTECTED], antifuchs Hail RMS! Hail Cthulhu! Hail Eris! All hail Discordia!
Re: Fwd: Please confirm your message
On Wed, Dec 04, 2002 at 09:22:35AM +0100, Andreas Fuchs wrote: On 2002-12-03, Adam McKenna [EMAIL PROTECTED] wrote: Please enlighten me, anyway: Why is bouncing the full body of the mail you received from a person who claims to be Adam back to Adam a good idea? This is an implementation issue, not a philosophical issue. This is correct. The system still needs to have the sender acknowledge that the message she sent is the one she is replying to, which requires at sending at least a little of the message back; pieces of which can be spam sent from a malicious user. TMDA source says so, too, in the comment to AUTORESPONSE_INCLUDE_SENDER_COPY. Yes, but this can be set to include only the headers, or none of the sender's message, if the user desires. It still, at most, includes all of the information that would be contained in a normal bounce message. Have you read DJB's modest proposal regarding SMTP traffic? Since I only use TMDA I can't speak for others but TMDA has a CONFIRM_MAX_MESSAGE_SIZE configuration variable, which will exclude the body of the message from the confirmation request if its size exceeds the defined value. The default is 50k. Right, and in TMDA there is also MAX_AUTORESPONSES_PER_DAY, which only seems to consider messages per sender. I'm not quite convinced that such a setup can not be abused as a spam reflector, useless as it may be (it bounces the full headers), other than annoying a lot of people. (-: Any autoresponder can be used as a spam reflector, so that still doesn't condemn this particular class of software. There is no amplification effect. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Wed, Dec 04, 2002 at 12:48:14AM +, Darren Salt wrote: see if you still don't have a problem. Or try giving the server a local (to it) address after MAIL FROM: the server should complain unless you're on a network which it considers to be local. Tried that with both qmail and postfix, and it still accepts it. (ie. telnet to remote server, entered MAIL FROM: $remoteaddress, and the server still accepts it even though it considers it a local address). -- Brian May [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 03:12:37PM -0800, Adam McKenna wrote: But to be sure you're not getting any false positives, you cruise through your spam mailbox every now and then, right? I generally try to (although I know one site that receives so much SPAM that this is simply not feasible). However, it is unlikely I would notice if there are any problems. (my family members seem to subscribe to mailing lists that all look very much like SPAM (eg. Dilbert); not to mention HTML only bills that look like SPAM, etc). -- Brian May [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Thu, Dec 05, 2002 at 09:20:47AM +1100, Brian May wrote:
On Wed, Dec 04, 2002 at 12:48:14AM +, Darren Salt wrote:
see if you still don't have a problem. Or try giving the server a local (to
it) address after MAIL FROM: the server should complain unless you're on a
network which it considers to be local.
Tried that with both qmail and postfix, and it still accepts it.
(ie. telnet to remote server, entered MAIL FROM: $remoteaddress,
and the server still accepts it even though it considers it a
local address).
Did you also give RCPT TO: after that?
$ mx gmx.net
gmx.net MX 10 mx0.gmx.de
gmx.net MX 10 mx0.gmx.net
$ telnet mx0.gmx.net 25
Trying 213.165.64.100...
Connected to mx0.gmx.net.
Escape character is '^]'.
220 {mx018-rz3} GMX Mailservices ESMTP
EHLO test
250-{mx018-rz3} GMX Mailservices
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
MAIL FROM: [EMAIL PROTECTED]
250 {mx018-rz3} ok
RCPT TO: [EMAIL PROTECTED]
550 {mx018-rz3} We do not relay - access denied
Connection closed by foreign host.
$
This is from a dial up line. Both addresses exist. The reply is completely
okay, if I wanted to send a mail as [EMAIL PROTECTED] I would have to
authorize myself via the AUTH mechanism or do pop-before-smtp, which I did
not.
The same would have happened if I set MAIL FROM: to another address.
The other way round would have worked, ie. MAIL FROM: [EMAIL PROTECTED]
and RCPT TO: [EMAIL PROTECTED]. That's how you would send a mail to me.
Greetings,
Oliver
--
Oh my, the stars!
me, first time I stared at the night sky with my new contact lenses
pgpD9lUxEqTuw.pgp
Description: PGP signature
Re: Fwd: Please confirm your message
On Thu, Dec 05, 2002 at 09:20:47AM +1100, Brian May wrote: On Wed, Dec 04, 2002 at 12:48:14AM +, Darren Salt wrote: see if you still don't have a problem. Or try giving the server a local (to it) address after MAIL FROM: the server should complain unless you're on a network which it considers to be local. Tried that with both qmail and postfix, and it still accepts it. (ie. telnet to remote server, entered MAIL FROM: $remoteaddress, and the server still accepts it even though it considers it a local address). This is the correct behavior. I don't know what Darren is talking about but I've never seen a mail server that refused to accept e-mails with a local envelope sender from remote hosts. It should be obvious why this wouldn't be a good idea. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Wed, Dec 04, 2002 at 11:57:05PM +0100, Oliver Kurth wrote: MAIL FROM: [EMAIL PROTECTED] RCPT TO: [EMAIL PROTECTED] Would this work? Or would you need to be authenticated first? (ie. I thought we were discussing checking purely based on the MAIL FROM address, not checking for relaying). -- Brian May [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Thu, Dec 05, 2002 at 10:09:31AM +1100, Brian May wrote:
On Wed, Dec 04, 2002 at 11:57:05PM +0100, Oliver Kurth wrote:
MAIL FROM: [EMAIL PROTECTED]
RCPT TO: [EMAIL PROTECTED]
Would this work? Or would you need to be authenticated first?
$ telnet mx0.gmx.net 25
Trying 213.165.64.100...
Connected to mx0.gmx.net.
Escape character is '^]'.
220 {mx015-rz3} GMX Mailservices ESMTP
MAIL FROM: [EMAIL PROTECTED]
250 {mx015-rz3} ok
RCPT TO: [EMAIL PROTECTED]
250 {mx015-rz3} ok
quit
221 {mx015-rz3} GMX Mailservices
Connection closed by foreign host.
It does. For gmx at least.
(ie. I thought we were discussing checking purely based on
the MAIL FROM address, not checking for relaying).
This is handled differently. Some servers check if the domain part
has a valid mx pointer, some do not. But I am not sure, if the
example above works for any server, I am sure you can set it up
so that it does not accept local addresses from other networks
than its own to a local address. It would make sense though, because
many spammers try to set a local MAIL FROM: address. If someone wants
to send a mail with a local MAIL FROM: from a foreign network, he
should be authenticated.
Greetings,
Oliver
--
Oh my, the stars!
me, first time I stared at the night sky with my new contact lenses
pgpdbvufsTkDT.pgp
Description: PGP signature
Re: Fwd: Please confirm your message
Brian May [EMAIL PROTECTED] wrote: On Tue, Dec 03, 2002 at 10:22:32AM +1300, Corrin Lakeland wrote: Personally I think bayesian based spam filters are a godsend. They're a bit naive in places such as being unigram or bigram based, but that'll probably get fixed in version two. And already they are still amazingly good. Are these packaged for Debian? [...] Yes, at least bogofilter is available and I've read an ITP for bmf here, too. cu andreas
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 04:58:48PM +0100, Russell Coker wrote: Also there's the issue of two people having such filters trying to communicate with each other. This, of course, is taken care of, see the documentation if you are interested. NB You can't just white-list an address when you send mail to it as often people don't use the same From: address to reply as they advertise when soliciting email (think about [EMAIL PROTECTED] addresses and vanity domains). Yes. But one can add a Reply-To header with a private mail address that doesn't require confirmation. On public discussions, one can add a Mail-Followup-To header to keep answers in the public where they belong imho. If there is open source, there should be open development, no need keep such things private. There are public discussion resources available for all of my open software. Gerrit.
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 05:31:11PM +0100, Russell Coker wrote: On Mon, 2 Dec 2002 17:18, Stephen Zander wrote: The above is based on the false premise that those who send spam are incapable of sending it with (forged) real email addresses. They already have lots of them to choose from. This is an existing and well known problem of the current internet mail infrastructure. Yes, envelope senders and headers can be forged. Of course such a spam filter will stop such spam at the cost of doubly spamming innocent people who have their addresses forged. Doubly? I cannot follow. It's very anti-social, zero sum game stuff. Come on, no need to especially blame my mail handling program. In another mail you wrote, you don't deliver spam to /dev/null but bounce it. Where do you think the bounce will end up? Nothing else is doing my software, sending a bounce to the envelope sender; there is no difference. Gerrit.
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 06:50:14PM +, Matthew Garrett wrote: In order to avoid this, spammers merely have to use a forged from address that will generate an automatic response. There's no shortage of those. [EMAIL PROTECTED] springs to mind, and I have no doubt that there are many others. The spammers can therefore trivially circumvent Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. Gerrit.
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 11:01:15AM -0500, H. S. Teoh wrote: On Mon, Dec 02, 2002 at 04:39:30PM +0100, Jan Niehusmann wrote: Time will tell. I fear that some day, the only way to use email productively is to block all email with invalid sender adresses. And I don't know a way do valdiate a (not yet known) address but to try it and send a reply. If you combine that with some autoresponders on both ends, no human interaction would be needed, so annoyance should go down. But what if spammers set up autoresponders as well? Just a thought. They don't. Spammers don't have (or want to provide) the resources for mass bounce handling on there mass mailing. Also, they are not anonymous anymore when doing this, you then know who is responsible for the spam or who does provide the resources for spamming. It is _very_ unlikely that such will happen. Gerrit.
Re: Fwd: Please confirm your message
In chiark.mail.debian.devel, you wrote: Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. I find your faith in mail admins... touching. -- Matthew Garrett | [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
on Sun, Dec 01, 2002 at 07:19:47PM +0100, Gerrit Pape ([EMAIL PROTECTED]) wrote: On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: The people who run such stupid filters misunderstand the way the Internet works. Maybe you should do a short research on the user of this mail handling program before saying such. If you have to send an extra confirmation message every time you send an email to someone you haven't communicated with before then it will increase the number of messages required by at least 50%. That is an unreasonable burden to place on other people. I wrote the software primarily for ezmlm mailing lists, please rethink your statement with this precondition. Here's my problem with such tricks: They take the personal (and best addressed as a personally-managed) problem of whitelist generation and offload it to a class of people who neither particularly care, nor are skilled at, executing it. As is clear here, the tactic is spectacularly ill-suited to mass communications, mailing lists in particular. If I'm posting mail to a list, WTF should I care what Joe Bumpkiss, or Gerrit Pape, wants to do with my email? If s/he signed up for the list, the presumption is that s/he wants to receive the mail. Ordinarially[1] I use a set of procmail recipies which filter mail on a number of criteria. These include heursitics to detect list mail, spamassassin, and a set of white and black lists. With my mailer, it's trivial to select a message, or a list of messages, and add the sender to either my white or black list. Takes a fraction of a second. Only happens once (and generally only for mail directed to me -- list mail doesn't need this hoop).[2] Best of all, my system never reveals itself to the sender at all. Which is as it should be. I roundfile any prove yourself requests I receive, and blacklist the sender. Peace. Notes: 1. System failures mean I'm on a fallback mail system w/o my procmail support. Two days of filtering by hand... I'm going to dig through backups to get 'em back in place RSN. 2. The system is based on the Debian spamfilter package, Lars Wizenius's procmal recipies. Spamassassin support is simply added as another rule. I've added a small script to add an address to a b/w list. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Geek for hire: http://kmself.home.netcom.com/resume.html
Re: Fwd: Please confirm your message
Today, Stephen Zander [EMAIL PROTECTED] wrote: Jan == Jan Niehusmann [EMAIL PROTECTED] writes: Jan Time will tell. I fear that some day, the only way to use Jan email productively is to block all email with invalid sender Jan adresses. And I don't know a way do valdiate a (not yet Jan known) address but to try it and send a reply. If you Jan combine that with some autoresponders on both ends, no human Jan interaction would be needed, so annoyance should go down. The above is based on the false premise that those who send spam are incapable of sending it with (forged) real email addresses. They already have lots of them to choose from. Right. I just thought up a scheme to exploit this, based on the fake source-IP address approach you find in descriptions of ping-floods. a) Spammer finds an autoresponder b) Spammer sends many mails with Reply-To: header chosen from a know-to-work address list c) Reply-To:ed people receive the bounced mail and are annoyed. So, ones selfishness (by using such spam filtering approaches) can be used against the person running the filter. If the filter is configured so that it doesn't send the Received: lines, it actually acts as a pseudo-anonymysing relay. Thus, my conclusion: These things are evil. Don't use them or somebody might use them against you, eventually. -- Andreas Fuchs, [EMAIL PROTECTED], [EMAIL PROTECTED], antifuchs Hail RMS! Hail Cthulhu! Hail Eris! All hail Discordia! pgpnf2SZgjxqT.pgp Description: PGP signature
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 11:49:09PM +0100, Andreas Fuchs wrote: Right. I just thought up a scheme to exploit this, based on the fake source-IP address approach you find in descriptions of ping-floods. Wow, you're pretty smart. Nobody has thought of this before, especially not the authors of said programs. a) Spammer finds an autoresponder b) Spammer sends many mails with Reply-To: header chosen from a know-to-work address list c) Reply-To:ed people receive the bounced mail and are annoyed. d) Andreas Fuchs figures out how the programs he is bashing actually work. Thus, my conclusion: These things are evil. Don't use them or somebody might use them against you, eventually. This sounds vaguely like religion -- you haven't even taken the time to see how these filters work yet you are decrying them as evil. They happen to be the most effective filtering solution at present, and they definitely beat the everyone registers their SMTP server solution that's currently being pushed in certain technical forums. Someday this type of software may be rendered ineffective by some new spammer invention, and at that time it will be easy enough to just turn it off and use something else. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 08:56:10AM -0800, Adam McKenna wrote: On Mon, Dec 02, 2002 at 11:49:09PM +0100, Andreas Fuchs wrote: Thus, my conclusion: These things are evil. Don't use them or somebody might use them against you, eventually. This sounds vaguely like religion -- you haven't even taken the time to see how these filters work yet you are decrying them as evil. They happen to be the most effective filtering solution at present, /dev/null is the most effective filtering solution at present, and these days happens to be equivalent to these filters when applied to mail from me. It's easy to be effective if you don't care about false positives. -- Colin Watson [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 05:13:42PM +, Colin Watson wrote: On Tue, Dec 03, 2002 at 08:56:10AM -0800, Adam McKenna wrote: On Mon, Dec 02, 2002 at 11:49:09PM +0100, Andreas Fuchs wrote: Thus, my conclusion: These things are evil. Don't use them or somebody might use them against you, eventually. This sounds vaguely like religion -- you haven't even taken the time to see how these filters work yet you are decrying them as evil. They happen to be the most effective filtering solution at present, /dev/null is the most effective filtering solution at present, and these days happens to be equivalent to these filters when applied to mail from me. It's easy to be effective if you don't care about false positives. Yes, and unless you consider people who either: 1) are too lazy to confirm 2) have a philosophical objection to confirming false positives, then there are no false positives with confirmation systems. You're also assuming that the users of such systems don't periodically check out their pending queue to make sure there isn't any legitimate mail in there before purging it. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 09:26:34AM -0800, Adam McKenna wrote: It's easy to be effective if you don't care about false positives. Yes, and unless you consider people who either: 1) are too lazy to confirm 2) have a philosophical objection to confirming false positives, then there are no false positives with confirmation systems. Any mail you want to read that gets blocked by a spam filter is a false positive, whoever it may be from. Why're you trying to cloud the issue with inane word games? There are already sensible definitions for these words. Note that, conversely, Hi, I'm a program and I don't know who you are, and don't trust you, please spend some of your valuable time to overcome my paranoia can quite reasonably be classed as mail you don't want to read, especially if it's on behalf of someone who's asking you a favour. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. ``If you don't do it now, you'll be one year older when you do.'' pgpb79NJLAsQF.pgp Description: PGP signature
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 09:26:34AM -0800, Adam McKenna wrote: On Tue, Dec 03, 2002 at 05:13:42PM +, Colin Watson wrote: /dev/null is the most effective filtering solution at present, and these days happens to be equivalent to these filters when applied to mail from me. It's easy to be effective if you don't care about false positives. Yes, and unless you consider people who either: 1) are too lazy to confirm 2) have a philosophical objection to confirming false positives, I do. If you don't, I guess we have no common ground. Also consider systems like the BTS that send mail; I certainly don't think those confirmations get religiously replied to, although boredom might lead to somebody doing it on occasion. You're also assuming that the users of such systems don't periodically check out their pending queue to make sure there isn't any legitimate mail in there before purging it. Fair point. -- Colin Watson [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Wed, Dec 04, 2002 at 03:40:53AM +1000, Anthony Towns wrote: On Tue, Dec 03, 2002 at 09:26:34AM -0800, Adam McKenna wrote: It's easy to be effective if you don't care about false positives. Yes, and unless you consider people who either: 1) are too lazy to confirm 2) have a philosophical objection to confirming false positives, then there are no false positives with confirmation systems. Any mail you want to read that gets blocked by a spam filter is a false positive, whoever it may be from. Why're you trying to cloud the issue with inane word games? There are already sensible definitions for these words. The key issue here is that the mail isn't blocked. It's simply held in another place until confirmed. It doesn't become a false positive until it is deleted without being read. Note that, conversely, Hi, I'm a program and I don't know who you are, and don't trust you, please spend some of your valuable time to overcome my paranoia can quite reasonably be classed as mail you don't want to read, especially if it's on behalf of someone who's asking you a favour. Yes, and people are perfectly within their right to drop such messages (or any messages, for that matter) into the bit bucket, just like they're within their right to drop bounce messages. But they shouldn't be surprised when their original message is either dropped, or read weeks late. BTW, anyone who e-mails you and then asks you to confirm your reply is either using broken software, or doesn't have their outgoing mail headers set up properly. As a side note, I am pretty amused by the people in this thread who say don't use these systems, they're antisocial, and then follow that up with I'm going to blacklist anyone who uses these systems.. I guess their definition of antisocial is different than mine. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 11:09:02AM +0100, Gerrit Pape wrote: Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. Practical experience contradicts this. Have you tried subscribing to debian-security? You get to learn fascinating things about the vacationing habits of random strangers. I also _frequently_ get bounces that should have gone to the mailing list software instead of to me. This happens less on unixy lists, so you might not have noticed on debian-*. Hmm, if I understand it right, your plan will mean that anyone operating such a broken mail system will get DoSed by spammers? Then maybe there's something to it after all :-) Richard Braakman
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 09:55:34AM -0800, Adam McKenna wrote: BTW, anyone who e-mails you and then asks you to confirm your reply is either using broken software, or doesn't have their outgoing mail headers set up properly. So people who e-mail [EMAIL PROTECTED] and then ask for confirmation from [EMAIL PROTECTED] must be using broken software too, I guess. Similarly, people don't always use one of my canonical addresses. -- Colin Watson [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 06:16:48PM +, Colin Watson wrote: On Tue, Dec 03, 2002 at 09:55:34AM -0800, Adam McKenna wrote: BTW, anyone who e-mails you and then asks you to confirm your reply is either using broken software, or doesn't have their outgoing mail headers set up properly. So people who e-mail [EMAIL PROTECTED] and then ask for confirmation from [EMAIL PROTECTED] must be using broken software too, I guess. Similarly, people don't always use one of my canonical addresses. Yes, that's correct. People using such systems should be sending from tagged addresses that do not require confirmation. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, 3 Dec 2002 18:55, Adam McKenna wrote: As a side note, I am pretty amused by the people in this thread who say don't use these systems, they're antisocial, and then follow that up with I'm going to blacklist anyone who uses these systems.. I guess their definition of antisocial is different than mine. What is wrong with choosing not to socialise with anti-social people? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Fwd: Please confirm your message
In chiark.mail.debian.devel, you wrote: Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. Having received one of the things now, it seems that you're not actually sending bounce messages as such. On the other hand, you're right that this won't result in false confirmation in the case of autorespenders that (correctly) respond to the envelope sender - sadly, there's no real shortage of broken autoresponders that will reply to the from header instead. -- Matthew Garrett | [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 11:09:02AM +0100, Gerrit Pape wrote: Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. You seem to imply that the envelope sender address is harder to forge? Yet my experience has been that I can telnet to port 25 on any mail server, and give it any envelope sender I want. Are there suppost to be some sort of checks placed on this address? -- Brian May [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
Today, Adam McKenna [EMAIL PROTECTED] wrote: On Mon, Dec 02, 2002 at 11:49:09PM +0100, Andreas Fuchs wrote: Right. I just thought up a scheme to exploit this, based on the fake source-IP address approach you find in descriptions of ping-floods. Wow, you're pretty smart. Nobody has thought of this before, especially not the authors of said programs. *makes a mental note never to use the term I just thought up again* Please enlighten me, anyway: Why is bouncing the full body of the mail you received from a person who claims to be Adam back to Adam a good idea? -- Andreas Fuchs, [EMAIL PROTECTED], [EMAIL PROTECTED], antifuchs debian-devel's pretty smart person.
Re: Fwd: Please confirm your message
On Wed, Dec 04, 2002 at 09:47:05AM +1100, Brian May wrote: On Tue, Dec 03, 2002 at 11:09:02AM +0100, Gerrit Pape wrote: Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. You seem to imply that the envelope sender address is harder to forge? Yet my experience has been that I can telnet to port 25 on any mail server, and give it any envelope sender I want. Are there suppost to be some sort of checks placed on this address? He's talking about the envelope sender address on the confirmation messages, which is empty (), the same as for bounce messages. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 09:55:34AM -0800, Adam McKenna wrote: The key issue here is that the mail isn't blocked. It's simply held in another place until confirmed. It doesn't become a false positive until it is deleted without being read. It depends how you define the SPAM checking process. If you define the SPAM checking process as an automatic process which classifies mail as either SPAM or non SPAM, then your statement is incorrect, it is a false postive as soon as it has been automatically classified in the wrong group. However, you seem to be defining the SPAM checking process as a series of automatic and manual processes that automatically delete all SPAM and nothing else from your mail folder. Which is interesting, the first definition doesn't take into account the human reading the mail, the second does. However, as far as I am concerned, my ideal (as unrealistic as it may be) is not to have to look at SPAM at all, which means that I use the first definition. -- Brian May [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Wed, Dec 04, 2002 at 09:58:28AM +1100, Brian May wrote: On Tue, Dec 03, 2002 at 09:55:34AM -0800, Adam McKenna wrote: The key issue here is that the mail isn't blocked. It's simply held in another place until confirmed. It doesn't become a false positive until it is deleted without being read. It depends how you define the SPAM checking process. If you define the SPAM checking process as an automatic process which classifies mail as either SPAM or non SPAM, then your statement is incorrect, it is a false postive as soon as it has been automatically classified in the wrong group. Not really, because the class of programs we're talking about don't make a distinction between spam and non-spam, they only make a distinction between confirmed and unconfirmed messages from unknown addresses. However, you seem to be defining the SPAM checking process as a series of automatic and manual processes that automatically delete all SPAM and nothing else from your mail folder. Which is interesting, the first definition doesn't take into account the human reading the mail, the second does. However, as far as I am concerned, my ideal (as unrealistic as it may be) is not to have to look at SPAM at all, which means that I use the first definition. But to be sure you're not getting any false positives, you cruise through your spam mailbox every now and then, right? --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 11:52:38PM +0100, Andreas Fuchs wrote: Today, Adam McKenna [EMAIL PROTECTED] wrote: On Mon, Dec 02, 2002 at 11:49:09PM +0100, Andreas Fuchs wrote: Right. I just thought up a scheme to exploit this, based on the fake source-IP address approach you find in descriptions of ping-floods. Wow, you're pretty smart. Nobody has thought of this before, especially not the authors of said programs. *makes a mental note never to use the term I just thought up again* Please enlighten me, anyway: Why is bouncing the full body of the mail you received from a person who claims to be Adam back to Adam a good idea? This is an implementation issue, not a philosophical issue. Since I only use TMDA I can't speak for others but TMDA has a CONFIRM_MAX_MESSAGE_SIZE configuration variable, which will exclude the body of the message from the confirmation request if its size exceeds the defined value. The default is 50k. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
I demand that Adam McKenna may or may not have written... On Wed, Dec 04, 2002 at 09:47:05AM +1100, Brian May wrote: On Tue, Dec 03, 2002 at 11:09:02AM +0100, Gerrit Pape wrote: Autoresponders, bouncers, and other mail handling programs use the envelope sender address, not an address found in any header of the mail. I doubt that any abuse@ address replies to a bounce message. This is no problem. You seem to imply that the envelope sender address is harder to forge? Yet my experience has been that I can telnet to port 25 on any mail server, and give it any envelope sender I want. Are there suppost to be some sort of checks placed on this address? Yes. Try giving a remote (from the server's POV) address after RCPT TO and see if you still don't have a problem. Or try giving the server a local (to it) address after MAIL FROM: the server should complain unless you're on a network which it considers to be local. If it accepts *any* address after MAIL FROM *and* after RCPT TO regardless of where you're connecting from, then I'm sure that there's a spammer who'll be interested in hearing from you ;-) He's talking about the envelope sender address on the confirmation messages, which is empty (), the same as for bounce messages. That doesn't matter (much) wrt address/location checks... -- | Darren Salt | nr. Ashington, | linux (or ds) at | Linux PC, Risc PC | Northumberland | youmustbejoking | No Wodniws here | Toon Army | demon co uk | Running woody on the other machine. You will be held hostage by a radical group.
Re: Fwd: Please confirm your message
On Sun, Dec 01, 2002 at 08:43:06PM +0100, Russell Coker wrote: When you have a very small number of people doing something totally contrary to what everyone else on the Internet is doing, and expecting that everyone else should go out of their way to accomodate them, then you don't need to do any research into who they are. See it that way: The problem of spam unfortunately is not solved, yet. There are several approaches to limit the amount of spam, and none of them is perfect. So, some research is necessary to find better ways of limiting spam. And the best way to evaluate some spam filter is to use it. Of course, that may annoy people, and these people should speak up (because that adds important information to the evaluation process - a spam filtering scheme which annoys people too much will not work in the long run). But please don't take it personal. It is not suitable for individual email addresses. Time will tell. I fear that some day, the only way to use email productively is to block all email with invalid sender adresses. And I don't know a way do valdiate a (not yet known) address but to try it and send a reply. If you combine that with some autoresponders on both ends, no human interaction would be needed, so annoyance should go down. Jan
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 04:39:30PM +0100, Jan Niehusmann wrote: [snip] Time will tell. I fear that some day, the only way to use email productively is to block all email with invalid sender adresses. And I don't know a way do valdiate a (not yet known) address but to try it and send a reply. If you combine that with some autoresponders on both ends, no human interaction would be needed, so annoyance should go down. [snip] But what if spammers set up autoresponders as well? Just a thought. T -- What's a hot crossed bun? An angry rabbit.
Re: Fwd: Please confirm your message
On Mon, 2 Dec 2002 16:39, Jan Niehusmann wrote: It is not suitable for individual email addresses. Time will tell. I fear that some day, the only way to use email productively is to block all email with invalid sender adresses. And I don't know a way do valdiate a (not yet known) address but to try it and send a reply. If you combine that with some autoresponders on both ends, no human interaction would be needed, so annoyance should go down. If an auto-responder can handle such messages then spammers will just use such auto-responders and therefore the spam filter will be almost useless. Also there's the issue of two people having such filters trying to communicate with each other. NB You can't just white-list an address when you send mail to it as often people don't use the same From: address to reply as they advertise when soliciting email (think about [EMAIL PROTECTED] addresses and vanity domains). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 04:58:48PM +0100, Russell Coker wrote: On Mon, 2 Dec 2002 16:39, Jan Niehusmann wrote: Time will tell. I fear that some day, the only way to use email productively is to block all email with invalid sender adresses. And I If an auto-responder can handle such messages then spammers will just use such auto-responders and therefore the spam filter will be almost useless. You are missing the point: That scheme doesn't directly block spam, it only assures that a mail has a valid Reply-To:-address. Which may (or may not) stop spam. Time will tell. Also there's the issue of two people having such filters trying to communicate with each other. Of course such programs need careful design to prevent loops. I don't say this is the only solution, I don't even claim it solves the spam problem at all. But I think it's a sensible experiment. After all, it may work. Jan
Re: Fwd: Please confirm your message
Jan == Jan Niehusmann [EMAIL PROTECTED] writes: Jan Time will tell. I fear that some day, the only way to use Jan email productively is to block all email with invalid sender Jan adresses. And I don't know a way do valdiate a (not yet Jan known) address but to try it and send a reply. If you Jan combine that with some autoresponders on both ends, no human Jan interaction would be needed, so annoyance should go down. The above is based on the false premise that those who send spam are incapable of sending it with (forged) real email addresses. They already have lots of them to choose from. -- Stephen A duck!
Re: Fwd: Please confirm your message
On Mon, Dec 02, 2002 at 08:18:46AM -0800, Stephen Zander wrote: The above is based on the false premise that those who send spam are incapable of sending it with (forged) real email addresses. They already have lots of them to choose from. But if they send the spam with a forged email address, the confirmation request won't be answered. (Which needs to be considered when designing a confirmation auto-responder: It may only confirm messages which were actually sent from that account) Jan PS: I think we are getting off-topic. I am interested in your opinion, but please consider sending it by private email.
Re: Fwd: Please confirm your message
On Mon, 2 Dec 2002 17:18, Stephen Zander wrote: Jan == Jan Niehusmann [EMAIL PROTECTED] writes: Jan Time will tell. I fear that some day, the only way to use Jan email productively is to block all email with invalid sender Jan adresses. And I don't know a way do valdiate a (not yet Jan known) address but to try it and send a reply. If you Jan combine that with some autoresponders on both ends, no human Jan interaction would be needed, so annoyance should go down. The above is based on the false premise that those who send spam are incapable of sending it with (forged) real email addresses. They already have lots of them to choose from. Of course such a spam filter will stop such spam at the cost of doubly spamming innocent people who have their addresses forged. It's very anti-social, zero sum game stuff. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Fwd: Please confirm your message
In chiark.mail.debian.devel, you wrote: On Mon, Dec 02, 2002 at 08:18:46AM -0800, Stephen Zander wrote: The above is based on the false premise that those who send spam are incapable of sending it with (forged) real email addresses. They already have lots of them to choose from. But if they send the spam with a forged email address, the confirmation request won't be answered. In order to avoid this, spammers merely have to use a forged from address that will generate an automatic response. There's no shortage of those. [EMAIL PROTECTED] springs to mind, and I have no doubt that there are many others. The spammers can therefore trivially circumvent the anti-spam measure at no extra cost to themselves, while at the same time causing even more inconvenience to everyone else. It's a stupid idea and pandering to people who utilise it only makes things worse for everyone. -- Matthew Garrett | [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 03 Dec 2002 05:12, Jan Niehusmann wrote: You are missing the point: That scheme doesn't directly block spam, it only assures that a mail has a valid Reply-To:-address. Which may (or may not) stop spam. Time will tell. But if we can work out that it won't work now, we can save ourselves some time and hassle. Specifically, these autoresponders demand that the spammers either validate an email address or use a known good 'from' address. So they will - when spamming someone harvested from debian-devel, they'll set the from address to debian-devel. Personally I think bayesian based spam filters are a godsend. They're a bit naive in places such as being unigram or bigram based, but that'll probably get fixed in version two. And already they are still amazingly good. Corrin -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9688Zi5A0ZsG8x8cRAomgAJwPEq5gUosw1OjD5EZ8UG7+D/LlvgCdGyiA Z2//ykiaZqEIeSvClk9B4hc= =pnwf -END PGP SIGNATURE-
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 10:22:32AM +1300, Corrin Lakeland wrote: Personally I think bayesian based spam filters are a godsend. They're a bit naive in places such as being unigram or bigram based, but that'll probably get fixed in version two. And already they are still amazingly good. Are these packaged for Debian? Where can I find more information? -- Brian May [EMAIL PROTECTED]
Re: Fwd: Please confirm your message
On Tue, 2002-12-03 at 09:53, Brian May wrote: On Tue, Dec 03, 2002 at 10:22:32AM +1300, Corrin Lakeland wrote: Personally I think bayesian based spam filters are a godsend. They're a bit naive in places such as being unigram or bigram based, but that'll probably get fixed in version two. And already they are still amazingly good. Are these packaged for Debian? Where can I find more information? apt-get install bogofilter http://www.tuxedo.org/~esr/bogofilter/ http://www.paulgraham.com/spam.html Works like a ripper, I've primed it with a 2000 message spam corpus and 10,000 message non-spam, and it gets called by procmail. Very high accuracy, very few (approaching 0) false positives and negatives. Jonathan Oxer Ph +61 3 9723 9399 / Fx +61 3 9723 4899 GPG key: http://www.ivt.com.au/gpg/jon.oxer.gpg signature.asc Description: This is a digitally signed message part
Re: Fwd: Please confirm your message
Brian May wrote: On Tue, Dec 03, 2002 at 10:22:32AM +1300, Corrin Lakeland wrote: Personally I think bayesian based spam filters are a godsend. They're a bit naive in places such as being unigram or bigram based, but that'll probably get fixed in version two. And already they are still amazingly good. Are these packaged for Debian? dpkg -p bogofilter apt-cache search Bayes Where can I find more information? Google is your friend. This is the first thing it finds for Bayesian spam filter -- the article that got the whole idea going in the first place: http://www.paulgraham.com/spam.html Craig
Re: Fwd: Please confirm your message
On Tue, Dec 03, 2002 at 09:53:56AM +1100, Brian May wrote: On Tue, Dec 03, 2002 at 10:22:32AM +1300, Corrin Lakeland wrote: Personally I think bayesian based spam filters are a godsend. They're a bit naive in places such as being unigram or bigram based, but that'll probably get fixed in version two. And already they are still amazingly good. Are these packaged for Debian? The CVS version of SpamAssassin has a Bayesian type component to it. The latest CVS packages are available (and built daily by 10:00 UTC): deb http://people.debian.org/~duncf/debian/ unstable main Or you can wait till SpamAssassin 2.50 is released. Your call. IMHO, Spamassassin is better than purely bayes based filters since it only uses bayes as one component of the score, and uses many other rules to determine the overall level of spamminess. Where can I find more information? http://www.spamassassin.org/ -- Duncan Findlay
Re: Fwd: Please confirm your message
On Saturday 30 November 2002 16:48, Russell Coker wrote: [snipped rant and threats] ... if such messages continue. You misunderstood the way such things work, you only have to confirm once that you intended to send a message. Of course, people should add automated systems like the BTS to their whitelist when they use them ... cheers Uli
Re: Fwd: Please confirm your message
On Sat, 30 Nov 2002 22:42, Ulrich Eckhardt wrote: On Saturday 30 November 2002 16:48, Russell Coker wrote: [snipped rant and threats] ... if such messages continue. You misunderstood the way such things work, you only have to confirm once that you intended to send a message. Of course, people should add automated systems like the BTS to their whitelist when they use them ... No I did not misunderstand anything. The people who run such stupid filters misunderstand the way the Internet works. If you have to send an extra confirmation message every time you send an email to someone you haven't communicated with before then it will increase the number of messages required by at least 50%. That is an unreasonable burden to place on other people. The only reason why more people don't complain about this foolishness is because there aren't many people stupid enough to want to do it. PS If a spam filter blocks a message about an NMU then don't complain about not being warned... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Fwd: Please confirm your message
On Sat, Nov 30, 2002 at 10:42:41PM +0100, Ulrich Eckhardt wrote: You misunderstood the way such things work, you only have to confirm once that you intended to send a message. Still too much. If someone initiates a communication, they should make sure they can get the reply. Of course, people should add automated systems like the BTS to their whitelist when they use them ... Exactly. I also drop any communication to people who require a confirmation when I reply to them. Mike Stone
Re: Fwd: Please confirm your message
On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: The people who run such stupid filters misunderstand the way the Internet works. Maybe you should do a short research on the user of this mail handling program before saying such. If you have to send an extra confirmation message every time you send an email to someone you haven't communicated with before then it will increase the number of messages required by at least 50%. That is an unreasonable burden to place on other people. I wrote the software primarily for ezmlm mailing lists, please rethink your statement with this precondition. On Sun, Dec 01, 2002 at 08:47:04AM -0500, Michael Stone wrote: Still too much. If someone initiates a communication, they should make sure they can get the reply. Yes that's true. I usually do this. I'm not responsible for the Reply-To header in my message, the BTS mangled the headers and resent the message; and it still appears to be from me. I've set Mail-Followup-To correctly. I'm not interested in receiving private copies of mail in public discussions; I know where I post, and keep up with, in this case, the bug's history, and read debian-devel. I've noted that you two don't want to communicate with me, be it. On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: PS If a spam filter blocks a message about an NMU then don't complain about not being warned... No. You receive a delivery notification, and you receive a bounce if the delivery fails. You know that your message didn't reach the recipient. On Sat, Nov 30, 2002 at 04:48:50PM +0100, Russell Coker wrote: For reference, I will not reply to such a message, but I will consider putting the entire domain in my spam filter if such messages continue. This is what could cause it. 'Stupid' content based spam filters delivering false positives to /dev/null. Neither the sender nor the recipient know about the delivery failure. Gerrit.
Re: Fwd: Please confirm your message
On Sun, 1 Dec 2002 19:19, Gerrit Pape wrote: On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: The people who run such stupid filters misunderstand the way the Internet works. Maybe you should do a short research on the user of this mail handling program before saying such. When you have a very small number of people doing something totally contrary to what everyone else on the Internet is doing, and expecting that everyone else should go out of their way to accomodate them, then you don't need to do any research into who they are. If you have to send an extra confirmation message every time you send an email to someone you haven't communicated with before then it will increase the number of messages required by at least 50%. That is an unreasonable burden to place on other people. I wrote the software primarily for ezmlm mailing lists, please rethink your statement with this precondition. Such things are fine for mailing lists. It's much the same as a regular list subscription. It is not suitable for individual email addresses. On Sun, Dec 01, 2002 at 08:47:04AM -0500, Michael Stone wrote: Still too much. If someone initiates a communication, they should make sure they can get the reply. Yes that's true. I usually do this. I'm not responsible for the Reply-To header in my message, the BTS mangled the headers and resent the message; and it still appears to be from me. I've set Mail-Followup-To correctly. I'm not interested in receiving private copies of mail in public discussions; I know where I post, and keep up with, in this case, the bug's history, and read debian-devel. I've noted that you two don't want to communicate with me, be it. It's not that I wish to avoid communicating with any PEOPLE. I just want to avoid communicating with auto-responders. On Sat, Nov 30, 2002 at 04:48:50PM +0100, Russell Coker wrote: For reference, I will not reply to such a message, but I will consider putting the entire domain in my spam filter if such messages continue. This is what could cause it. 'Stupid' content based spam filters delivering false positives to /dev/null. Neither the sender nor the recipient know about the delivery failure. Who said anything about a false positive or /dev/null? When I filter out a domain I make my mail servers return a 5xx code to the SMTP daemon that's sending the message, in the case of a false positive then the person sending the message should get a bounce (if their mail server is functional they will get a bounce). When someone convinces me that their domain is lame and I configure my servers to block it the refusal of their mail is not a false-positive, it is a correct positive! -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Fwd: Please confirm your message
On Sun, Dec 01, 2002 at 07:19:47PM +0100, Gerrit Pape wrote: On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: The people who run such stupid filters misunderstand the way the Internet works. Maybe you should do a short research on the user of this mail handling program before saying such. Do you really think that everyone should have to jump through hoops for the privilege of communicating with you? Are you that arrogant? If you have to send an extra confirmation message every time you send an email to someone you haven't communicated with before then it will increase the number of messages required by at least 50%. That is an unreasonable burden to place on other people. I wrote the software primarily for ezmlm mailing lists, please rethink your statement with this precondition. Then, use it for mailing lists, not for your personal mail. On personal mail, it is entirely inappropriate, especially in situations like this where _you_ requested the e-mail. On Sun, Dec 01, 2002 at 08:47:04AM -0500, Michael Stone wrote: Still too much. If someone initiates a communication, they should make sure they can get the reply. Yes that's true. I usually do this. I'm not responsible for the Reply-To header in my message, the BTS mangled the headers and resent the message; and it still appears to be from me. I've set Mail-Followup-To correctly. I'm not interested in receiving private copies of mail in public discussions; I know where I post, and keep up with, in this case, the bug's history, and read debian-devel. I've noted that you two don't want to communicate with me, be it. If you don't want the BTS mail, send it to /dev/null; don't blindly request confirmation. On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: PS If a spam filter blocks a message about an NMU then don't complain about not being warned... No. You receive a delivery notification, and you receive a bounce if the delivery fails. You know that your message didn't reach the recipient. And the onus is on them to get pass your stupid filter? So in theory, I could set up my mail server to bounce mail I didn't like/agree with. So if someone e-mails me regarding a bug that I don't want to fix, I bounce it. If someone e-mails me about wanting to NMU my package, I bounce it, etc. And that way I'd be immune from people NMU'ing my package. That's BS. On Sat, Nov 30, 2002 at 04:48:50PM +0100, Russell Coker wrote: For reference, I will not reply to such a message, but I will consider putting the entire domain in my spam filter if such messages continue. This is what could cause it. 'Stupid' content based spam filters delivering false positives to /dev/null. Neither the sender nor the recipient know about the delivery failure. What's stupid is people who are arrogant enough to think that everyone whom they communicate with should have to spend extra time (bandwidth, etc) getting their message through a filter. Plus, the assume guilty until proven innocent thing is ridiculous. What's also stupid is people who deliver messages found to be spam to /dev/null. What makes sense is to save all mail, and actually _look_ through messages tagged as spam to ensure that there are no False Positives. SpamAssassin can do this, and does it well. There are better solutions to the spam problem than yours. -- Duncan Findlay pgpFZWUxQM6wE.pgp Description: PGP signature
Re: Fwd: Please confirm your message
Gerrit Pape [EMAIL PROTECTED] writes: On Sun, Dec 01, 2002 at 02:35:28PM +0100, Russell Coker wrote: The people who run such stupid filters misunderstand the way the Internet works. Maybe you should do a short research on the user of this mail handling program before saying such. Some people believe they have the moral right to *reduce* the amount of mail *they* receive by sending *others* *more* mail. Or to set up robots which ask humans to confirm that they aren't robots. The world is a strange place. Get over it.
Fwd: Please confirm your message
I believe that it is inappropriate to use such an email system that does this when sending messages to the BTS. Also anyone who wants to use such a system when posting to a popular mailing list (such as debian-devel) should first put in place a white-list of people who regularly post to the list (such as me). For reference, I will not reply to such a message, but I will consider putting the entire domain in my spam filter if such messages continue. -- Forwarded Message -- Subject: Please confirm your message Date: 30 Nov 2002 15:45:19 - From: The qconfirm program [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello, this is the qconfirm mail-handling program at [EMAIL PROTECTED]. One or more messages from you are being held because your address was not recognized. To release your pending message(s) for delivery, please reply to this request. Your reply will not be read, so an empty message is fine. If you do not reply to this request, your message(s) will eventually be returned to you, and will never be delivered to the envelope recipient. This confirmation verifies that your message(s) are legitimate and not junk-mail. Regards, the qconfirm program, http://smarden.org/qconfirm/ --- Below this line is the top of a message from you. Received: (qmail 11395 invoked from network); 30 Nov 2002 15:45:18 - Received: from tsv.sws.net.au (203.36.46.2) by 0 with SMTP; 30 Nov 2002 15:45:18 - Received: from lyta.coker.com.au (localhost [127.0.0.1]) by tsv.sws.net.au (Postfix) with ESMTP id 83FC292668; Sun, 1 Dec 2002 02:44:48 +1100 (EST) Received: from lyta (localhost [127.0.0.1]) by lyta.coker.com.au (Postfix) with ESMTP id 1E1FA908E; Sat, 30 Nov 2002 16:44:40 +0100 (CET) Content-Type: text/plain; charset=iso-8859-1 From: Russell Coker [EMAIL PROTECTED] Reply-To: Russell Coker [EMAIL PROTECTED] To: Gerrit Pape [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Bug#171253: ITP: libdjbdns -- DNS client library designed to replace the BIND res_*/dn_* library Date: Sat, 30 Nov 2002 16:44:39 +0100 User-Agent: KMail/1.4.3 References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: [EMAIL PROTECTED] On Sat, 30 Nov 2002 15:34, Gerrit Pape wrote: License: Bernstein has put the .[ch] files (dns.h, dns_dfd.c, dns_domain.c, dns_dtda.c, dns_ip.c, dns_ipq.c, dns_mx.c, dns_name.c, dns_nd.c, dns_packet.c, dns_random.c, dns_rcip.c, dns_rcrw.c, dns_resolve.c, dns_sortip.c, dns_transmit.c, dns_txt.c) and all necessary lower-level .[ch] files into the public domain[1]. I do not plan to make any changes to those files, so Bernstein's djbdns security guarantee[2] applies. My additions to the package will be licensed under a BSD compatible license. The URL did not make this license adequately clear to me. Does this specifically differ from the license of Qmail? --- -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
