SPAM on List...

jw schultz jw at pegasys.ws
Thu Nov 14 20:42:00 EST 2002


On Thu, Nov 14, 2002 at 03:01:02PM +0000, Bruno Ferreira wrote:
> At 12:42 14-11-2002 +0100, you wrote:
> >I was surprised that the list seems to be "open",
> >that i can post with an other eMail address i'm subscribed with.
> >
> >Many other lists are "closed", only "subscribers" can post
> >on them, making spaming much more difficult.
> >
> >On those "closed" lists i have 2 accounts, to avoid
> >getting non-list emails (mostly spam) to my list account
> >or that address into spamers database.
> >One address only for the mails from the list,
> >and one addresse i use to post to the list.
> >To avoid getting the list twice that "post only" account
> >is in "vacancy" for the next 10000 days (there is a year 2036
> >problem at least in "listar"...).
> 
>         I was about to suggest exactly this. A good example is the PHP-doc 
> mailing list (if I can recall), that uses a simple method: if the posting 
> e-mail is not a subscriber, then:
> 
>         - Hold its message
>         - Send an email to that address stating that, once it is not a 
> subscriber, it must reply to "this" e-mail (which contains some sort of 
> message ID/stamp).
>         - If it's a real person on the other side, he/she will reply and 
> the message gets posted. If no reply is obtained for say... 3 days (?) then 
> the original message gets discarded.

Hmm.  Sounds like an ideal candidate for DoS.  Someone sends
a pile of large emails and doesn't confirm.  I'd feel better
using a in-message cookie so the reply would be what gets
posted (sans cookie).  Reply should also add the original
address as OK to post so the process doesn't have to repeat,
at least for a while.

-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw at pegasys.ws

		Remember Cernan and Schmitt



More information about the rsync mailing list