On Mon, Apr 07, 2008 at 02:43:56PM +0200, Johannes Wiedersich wrote: > Johannes Wiedersich wrote on 2008-04-07 14:31: > >> I understand the issue about not wanting to limit posters to the list of > >> subscribers. However, perhaps there should be a whitelist or somthing > >> to which non-subscribers can post with the same handshaking as the > >> subscription protocol? > > > > There is: > > http://lists.debian.org/whitelist/ > > Sorry, I misunderstood you, Doug. > > IIUC, you propose that there is a special way for non-subscribers to > post, that locks out spammers at the same time? How should that work?
My suggestion is that the mailing list manager only allow posts from email address (after checking for suspicious headers and other spam filters that it already does) which are contained in a whitelist database. This database would be populated automatically by the subscription handshaking process or by an identical handshaking process to be added only to the white-list. Remember the email that the listmanager sent to you saying something like "someone sent an email from this email address requesting that this email address be added to the list of recipients of the debian-user mailing list. If you with this to be the case, reply to this message leaving the subject line intact". The same kind of handshaking, changing a request for subscription to a request for permission to post to any public debian mailing list, would put off spam sites on two fronts: 1. The spam site would have to arrange to actually receive mail back and respond to it appropriatly complete the handshaking. 2. If a registered poster (member of the whitelist) sends spam, they get a query or warning (which could be automated) and the spam is held in escrow (not sent to the list) until this is resolved. If it is not resoved, or if the spam is repeated, a final notice of termination is sent and the email address is removed from the white list. If they try to rejoin the whitelist and there is an unresolved spam issue, then the initial query warning is sent instead and the issue must be resoved before they are reinstated. > > The only thing I could imagine, is one of those silly 'type the letters > that you find in this image' stuff. > That simply drives spammers to OCR or other tricks and locks out others > (blind, color blind etc.), and adds an additional layer of annoyance to > the rest of us. No, not what I mean at all. > [I get angry against spammers, but I would rather rely on my spam filter > and ignore the odd spam that gets through than to make it more difficult > for people to post. ] Agreed. I propose a protocol to get onto the whitelist and to handle the whitelist membership. Once someone is a member in good standing, they can send. To cope with the sending from random sites (e.g. internet cafes), it would get more interesting but only if the person's email ISP doesn't have a web-mail service. Since such webmail services require the user to enter a password (and generally don't have facilities for one-time passwords), perhaps a OTP protocol for the mailing lists could be used. Thus: 1. a member of the whitelist requests the list-manager to email a set of one-time passwords for use when at non-whitelist (or even blacklist?) ISPs (e.g internet cafe). 2. member sends email to list from non-whitelist email but includes their normal email address and the OTP on the subject line (in case the location where you are sending doesn't let you just set an arbitrary header). 3. the list-manager allows any email from a member if it includes a OTP that was issued to them. If instead all users were issued OTPs from a single name-space, then each OTP would be very long and more prone to typos (i.e. they'd look like MD5 sums rather than a login password). 4. OTPs are of course one-time only so the list manager would have to handle the maintance of the OTPs. 5. If a member uses an OTP to actually send spam, then the same protocol as (2) above would be followed. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
