Hi folks, You may have noticed that we've had a difficult time enforcing appropriate standards of mailing list behavior against a particular troll over the past year or so. The problem is largely a technical one: by using throw-away Yahoo! Mail accounts and relaying messages through tor (http://tor.eff.org/), he evades traditional list filtering mechanisms and avoids real-world accountability for his actions without any penalties that are of concern to your run-of-the-mill sociopath. Brainstorming on IRC has led to a proposed filter enhancement to block all mails sent to this list that have been relayed at any point through a known tor router. This would have the effect of preventing our troll from sending any further mails to this mailing list without disclosing his real location on the Internet and exposing himself to legal accountability. It would also mirror the existing ban list in place on the IRC network, which prevents people from joining #debian-women when connected through tor routers. I brought this suggestion to the listmasters, and one of them agreed that this would be an ok solution if it is the consensus among the legitimate list participants here that such a filter is appropriate, so this message is a request for comments on the proposal. Other solutions have been suggested. There has been an offer to moderate all messages to this list for a while, but that's only a solution for the current round of abuse and doesn't help with future abuse once the moderation is dropped. It's been suggested that the list should be closed to non-subscribers, but that doesn't stop an attacker from subscribing and *then* posting. It's even been suggested to block/moderate messages from yahoo.com, but yahoo.com is a large mail provider with a significant number of legitimate users, some of whom may be interested in posting to this list, so such a filter could lead to an unacceptably high number of false-positives. Blocking mail relayed through tor is a solution with minimal on-going costs and minimal collateral damage, so I believe it's the solution that should be used here. On the subject of collateral damage: some will point out that tor is a service with legitimate applications, including some that are close to the heart of many on this list, such as protection against invasion of privacy by corporations, defense against persecution by totalitarian governments, and freedom of association for at-risk women. While these are all valid uses of tor, I believe the intersection of these uses with posting to the debian-women mailing list is approximately zero: while we don't want to be responsible for preventing such people from contributing to Debian in general, there's no need for them to be able to post to debian-women in the process, and in many cases it's probably safer for them if they don't do so. I'm not aware of any legitimate posters to this list that are using tor when sending mail, and I can't think of any realistic cases in which it would be necessary for someone to do so. It's also been suggested to filter on tor but use this to redirect mails to a moderation queue, rather than rejecting the mail. This has the usual problem of such proposals, that someone has to do the work of checking the moderation queue every time there's a junk post (= high on-going cost), and legitimate posters may find their mail delayed much longer in a moderation queue than they would be if they had simply received a bounce and chosen a different way to send the mail. Do people think this sounds workable? Have I overlooked any concerns you have about such an approach, or do you believe there's a better option? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature