On Tuesday, Sep 24, 2002, at 16:41 US/Pacific, Phil Tanny wrote:
[kind words snipped]
>> There's also the problem of messages which don't come
>> from real people - postmaster, various autoresponders for websites,
>> etc. Would you want to be the guy at Yahoo who receives a flurry of
>> these every time an automatic notification goes out?
>
> In the current system, the Yahoo guy should use confirmed
> opt-in, which imposes an inconvenience upon his users, and
> loses him some of his audience.
>
> In a white list world, this confirm procedure can be replaced
> by the act of white listing, which involves an inconvenience
> for his users, and loses him some of his audience.
What I had in mind were things like the notifications people sign up
for with stocks, new postings in message areas, order status changes,
auction events, etc. The From address is a role
("[EMAIL PROTECTED]"), not a person, so it'll get a challenge
from new subscribers every time a notice goes out.
There are also some mailing list specific problems apart from broken
lists which rewrite From addresses (they deserve to be broken). A
confirmed subscription requires an exchange which will fail until the
user whitelists the subscription address. I'd need to check but I think
there might also be a problem with the systems which use custom reply
addresses to avoid the need to embed a distinctive tag in the body of
the message - if your challenge-bot wasn't careful, it might
automatically confirm any subscription verification!
The big problem with mailing lists is posting to a large list - picture
what would happen if you posted a message to BUGTRAQ and received a
challenge from any appreciable fraction of the 50,000-odd subscribers.
I like a distributed trust system which would allow many people to
simply check that some critical level of spammer votes hadn't been
reached - basically a non-user-specific whitelist.
Unfortunately, this is a hard problem to solve since you have to think
about the various ways people will try to game the system. Checking on
spam reports prevents spammers from giving their throwaway accounts
"non-spammer" votes from other throwaways but it allows people to start
gaming the system. If nothing else, spammers could register throwaway
accounts and start reporting almost everyone as spammers in an attempt
to make the system unworkable. Biasing against new accounts helps there
but I'm still not sure how we'd prevent a long term effort - picture a
spammer registering an account, maybe even correctly reporting some of
their competitors, and then suddenly going rogue. A web of trust where
you can choose which users you trust helps but there's a big chicken
and egg problem getting one started.
Chris
_______________________________________________
spamcon-general mailing list
[EMAIL PROTECTED]
http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers
Subscribe, unsubscribe, etc: Use the URL above or send "help" in body
of message to [EMAIL PROTECTED]
Contact administrator: [EMAIL PROTECTED]
