From: Robert Hettinga <rah@shipwright.com>
Date: Fri, 27 Dec 1996 06:24:52 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Forged addresses
Message-ID: <v0300784daee974a92a6d@[139.167.130.248]>
MIME-Version: 1.0
Content-Type: text/plain



--- begin forwarded text


Date: Fri, 27 Dec 1996 00:01:40 -0800
From: Chuq Von Rospach <chuqui@plaidworks.com>
Subject: Re: Forged addresses
To: listmom-talk@skyweyr.com
Mime-Version: 1.0
Precedence: Bulk
Reply-To: listmom-talk@skyweyr.com

At 8:55 PM -0800 12/25/96, Joshua D. Baer wrote:

>Do you mean that new subscribers will not be allowed to post until they get
>personal "approval" from the listmaster?  What lists would you implement
>this on?  I'd be worried about scaring new people off... it might make
>people afraid to post.

Actually, a two-level beast. *All* lists become moderated. Every
posting that's not from a validated moderator therefore goes to the
moderator for approval. If someone on the list wants to post without
delays, they can become moderated, thereby becoming a "moderator".
Users don't have to -- but put up with posting delays until the
moderator comes into the loop.

It's somewhat more work for me as moderator. It's a significantly
reduced noise level for the list. It forces a positive acceptance of
the list rules before someone can post to the list, so this "stupidity
by ignorance" goes away -- it also stops the subscribe-and-spam hit and
runs, of which I've been nailed by two this month (those are new.
Spammers traditionally haven't been smart enough to subscribe, so the
non-subscriber limitation has nuked them. These two subscribed, then
one set up an auto-bot on his address to respond to every bloody
message on the lists with his ad -- to the list. 90 messages later...
The other guy just subscribed and started blatting. Both, once I had
chats with their postmasters and webmasters, found themselves no longer
with email or web addresses, but...)

It has, literally, gotten to the point where I can no longer assume
that someone can:

a) type in their email address correctly.
b) read instructions.
c) follow instructions.
d) behave.

so I'm having to revamp my systems to protect them from this new
class(es) of internet user. The days of laissez-faire administration
are dead. The braindead, the novice blunderer and the spammer have
killed them.

Sad but true.

So to cut out the Spammers and the folks who have no clue what their
email is, my systems will be going to the
confirmation-reply-before-subscribe setup. The bogus addresses will
bounce before subscription, and the spammers will only be able to send
them single pieces of e-mail, not sign them up. It's *more* hassle for
end-users and reduces ease of use, but sometimes, you have to make
things a little tougher for the good of everyone. You can make things
too easy, and unfortunately, things are too easy for the spammers, so
everyone has to suffer a little bit to put THOSE idiots back in the
sewer (while I was gone, there was a major spam attack using
plaidworks, to the tune of about 25 addresses. Fairly sophisticated in
some ways, but mostly, they knew when I wasn't looking and got around
my traps. We're backtracking them as we speak, but in one case, they
seem to have broken into a machine to send the spam attack, so it'll be
tough...)

And to cut out the babblers and other idiots who don't believe they
need to behave, be polite, follow rules or whatever, I'm going to make
all lists moderated, and then extend moderation priviledges to the
"trusted" set of users. That's one way of pulling this off without
having to rewrite the list servers, as long as they support multiple
moderators.

Oh, and on the topic of spammers, here's a warning: some of the
spammers seem to have a new, amusing hack: they're forging email aimed
at MAILBOTS (like info@plaidworks.com -- and doesn't just about *every*
site have at least one mailbot these days?) such that the bot responds
to the person being spammed. This one's fairly noxious, because there's
no subscription or anything, and generally no address validation (how
can you validate addresses coming to a mailbot? Um, you can't,
basically), and I don't know about you, but I don't log mailbot
requests. Well, I will starting tomorrow...

Anyway -- if you have mailbots, be aware that people might be starting
to use them as attacks, also. It requires more work from them, given
that mailbots only send one message per incoming, but if you can build
a script that sends mail to 1,000 sites and their info@ address, I'm
not sure the person being spammed will realize that it could have been
*worse*.

And suggestions on how to continue to make mailbots available AND make
them reasonably safe encouraged. Logging incoming so you can backtrack
headers and try to nail the spammer is at least one way to keep it
relatively honest, but I'd rather stop it than patch it together again.
That gets tired...


--
           Chuq Von Rospach (chuq@solutions.apple.com) Software Gnome
       Apple Server Marketing Webmaster <http://www.solutions.apple.com/>

 Plaidworks Consulting (chuqui@plaidworks.com) <http://www.plaidworks.com/>
   (<http://www.plaidworks.com/hockey/> +-+ The home for Hockey on the net)

I got no name or number/ I just hand out the lumber.
But if I get a chance to play/ I'm going to show 'em.
		-- Stick Boy (The Hanson Brothers, SUDDEN DEATH)

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox,
e$, 44 Farquhar Street, Boston, MA 02131 USA
"The cost of anything is the foregone alternative" -- Walter Johnson
The e$ Home Page: http://www.vmeng.com/rah/