[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dealing with spam on the mailing lists

Hello, and thanks for the reply.

On Tue, 24 Dec 2019 10:25:58 +0100
Alexander Wirt <formorer@formorer.de> wrote:

> Several spammers subscribe. 

That's something I was fearing, but unless that's the majority of the
spam, I wouldn't disregard the whitelisting approach just because of
that possibility. Are there any metrics for how many spams actually go
to such lengths?

> > This system would replace the currently optional
> > <whitelist et lists.d.o> system
> > (https://lists.debian.org/whitelist/) with a _required_ opt-in.
> > (And it could start by importing subscribed addresses from that
> > list.)  
> Several spammers do that too. 

Well, that is quite unfortunate.

> > In terms of implementation, I feel this could be a lightweight
> > solution. It could be written as a postfix access table check and
> > milter; or in the case of exim here(?), a milter program would work
> > for that MTA as well, I believe?  
> I fear that this will not help a lot or at least not for a long time. 

There is always the certainty of spammers escalating, after seeing
diminishing returns.

But, at least in my opinion, spammers who run a targeted operation
against the lists, by registering, are a different level of severity.
That's like the difference between thievery, where the door was
open, and breaking and entering: seeing the barrier, yet choosing
to circumvent it.
(And that level of dedication then suggests an elevated response.)

The current situation looks really quite untenable on some of the lists.
And while the effectiveness may or may not decrease over time, it will
add several bumps to the spammers operations, long term.

Since then there needs to be a valid return path to the spammer:
They need to have control over the address, possibly the domain, and be
(or have been) reachable at it, for at least some time.
This can no longer be done as a "drive-by" with a faked address.

But I also feel that this would be limited to fewer spam incidents than
we currently see on the lists, long term.
The remainder would be easier to keep on top of through moderation.

Which means a very definite target for abuse complaints and a
reputational impact to originating domain.

And while I'm no lawyer, that feels a lot more actionable on, legally
speaking; if it were pursued.

Reply to: