Bug#164344: Bug#160529: (ITP of ASK) should not be packaged

[Marco Paganini <paganini@paganini.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Oct 15, 2004 at 01:06:04AM -0500, Branden Robinson wrote:

>> ASK has a whitelist, an ignorelist and a blacklist. The blacklist sends back
>> a "nastygram" informing the user that we do not want to receive further
>> messages from him/her. Unfortunately (and yes, this is my fault), I never
>> imagined someone would add a mailing-list to his blacklist (sounds just too
>> insane, doesn't it?). Well, it happened, and I'm now dumping the blacklist
>> feature entirely to protect the community from people who use it incorrectly.
>
>My original rant was based on two things:
>
>1) You seemed to be unaware of a certain lesson from history[1].
>2) Anything that claims to be a "spam killer" is going to attract
>   apoplectic and irrational people who will stop at nothing to sate their
>   desire for vigilante justice against spammers.  Many of these people are
>   simply not mature enough to take into account the innocent bystanders
>   they may inconvenience by using your software to vent their spleens.
>   In my opinion, it was poor judgement on your part to hand people this
>   sort of loaded weapon.  People *will* be insane.  People *will* be
>   stupid.  I realize you've already acknowledged that this was an error on
>   your part -- I am not trawling for an apology.
>
>I would withdraw my objection if ASK as packaged in Debian will omit
>whatever part of the code autoreplies with a nastygram.  If dropping the
>blacklist entirely will achieve that, then that's fine with me.

That's the intention. I'll be releasing beta 2.5.1 soon, already without
the blacklist "nastygram" feature. Email addresses in the blacklist will be
automatically ignored, of course. This should keep a reasonable degree of
backwards compatibility while minimizing this kind of situation.

I take any email loop possibilities very seriously. Despite Karsten's "paper"
saying otherwise, ASK has protection against mail loops and it will also do
all kinds of heuristics to prevent the confirmation from being sent to a
mailing-list.

Of course, nothing can be done against spoofed addresses. If someone spoofs
your address, you will receive a confirmation challenge, even though you
never sent the original email. This, unfortunately, is a problem with
SMTP and there is nothing that can be done about it with the current
technology. I, for myself, receive tons of "mailer-daemon" bounces from
spammers and virii. Honestly, I don't think ASK adds too much to the problem.

>I don't want to try to micromanage how your code is written or how its
>eventual Debian package maintainer does his or her job -- my position is
>simply to exhort people (as strongly as I need to) not to make it easy for
>idiots to attack Debian's mailing lists.  Things that send automatic
>replies to mail messages is, if not designed for abuse, easily perverted to
>it -- if one doesn't take fairly elaborate precautions like the one I
>described.

I understand your position, and believe me, I agree with it.

Regards,
Paga


- -- 
Marco Paganini          | UNIX / Linux / Networking
paganini@paganini.net   | PGP: http://www.paganini.net/pgp/
http://www.paganini.net | Magnus Frater te spectat...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBcbkJL2FWjNfH2XwRAqJRAJ9BSFHRhiOeLKYT1jmEbd3NI4eqZQCeNy7/
urj186cJh/UG5OTHKIjkMGc=
=tGuV
-----END PGP SIGNATURE-----