[Samba] Re: [OT] spam

Martin Pool mbp at samba.org
Wed Oct 15 01:25:01 GMT 2003


On 14 Oct 2003, "J. Frisbie" <frisbie at MIT.EDU> wrote:

> > What would you like us to do differently?

I see your original message was a bit misleading: you said that you
"singed up for the samba", but in fact you also posted to the list,
thus disclosing your address.

First of all: we don't disclose the subscriber addresses to anyone.
The roster of list members is not available from the web page.  If you
subscribe and do not post, nobody will know your address.

Just to be absolutely clear:

 - We don't disclose the subscriber addresses.

 - We are not sending you viruses or spam.

 - Sometimes spam does get onto the lists.  We filter out the vast
   majority of it.  There is no perfect filtering solution.

 - This is a public list.  Anything you send to it can be read, used
   or archived by anyone in the world.  We explain this reasonably
   clearly. 

 - We have no control over people who might be sending you viruses.
   You need to complain to their network admin or your network admin
   or your government.

** If you want something to remain secret, do not post it. **

I personally don't think keeping your address secret is a good
solution to spam, but you can try it if you want.

I think we are being responsible.  The problems are not of our making,
and we do our best to reduce them.  If you have any concrete
constructive suggestions we'll consider them.

I see you are posting from Outlook, which is the overwhelmingly most
common virus vector.  Calling us irresponsible is pretty cheeky.  If
Outlook went away, the email virus problem would nearly disappear
overnight.

> [your suggestions:]

> You have some unscrupulous list subscriber who bombards addresses
> that appear on the list with viruses.

If you tell me who they are, we will remove them from the list.
 
> Do not send messages to the list with machine parseable return
> addresess.

We pass through messages with whatever address the sender uses.  Some
people choose to post from addresses other than their real one, and
that is allowed.  Of course they take the risk of not seeing direct
replies.

Addresses in the list archives are not easily machine parseable:

  http://lists.samba.org/archive/samba/msg72578.html

Other people can archive it however they want.

> Make the reply to address the mailing list, not the person who sent the
> message. 

I don't understand how you think this would help the spam or viruses
problem.

If anything, it will cause more misconfigured antivirus software to
send messages to the list, thus annoying everyone and just the poster.

> Vet your subscriber list.

Since people other than subscribers can read the list archives, this
too would not prevent people sending viruses to you.

But leaving that aside, how do you suggest we vet it?  I can't think
of any test we could easily do over email that would reliably
distinguish good people from evil.  Are we supposed to guess that
"frisbie doesn't look like a real name, so we won't allow it?"

We could disallow people who're using insecure clients like Outlook,
but unfortunately there's a large overlap with Samba's userbase.

> Allow only subscribers to post to the list.

That has nothing to do with people sending viruses direct to you. 

Doing this in addition to the spam filtering we already have in place
might reduce the amount of spam getting onto the list.  On the other
hand it would impede people who want to just ask one question, which
is pretty common.  We may yet do it in the future.  

Since many viruses forge their From address, verifying the From
address may not help much anyhow.

This would also block people who want to post from an obscured
address.

Terry suggested:

> Quit forwarding the list onto Usenet, at least with email addresses
> exposed (what's the real use of this, considering it's not that big of
> a deal for people to subscribe?)

I think it is very useful for people who want to read through the list
archives without receiving every message as its sent.  It supports a
use mode that's more useful to some people than either email or web
archives.

I will consider hiding the sender addresses.

> I don't have this problem with other lists (this account is subscribed
> to at least 20), so there's no reason why we should have these
> problems here, either.

That is a bit of a non sequiter.

I don't know what other lists you're on.  Similarly high-profile lists
at kernel.org or debian.org seem to have similar policies and our
level of spam is as good or better.

-- 
Martin 



More information about the samba mailing list