[vox] Re: spam control: send email to confirm

[Micah J. Cowan]

On Wed, Jun 25, 2003 at 03:37:44PM -0700, Sam Peterson wrote:
> > Something which wouldn't prevent this abuse (but could make it less
> > effective), would be to keep a temporary record of confirmation
> > requests sent out recently, and not resend them to the same address
> > for a given period.
> 
> The above website I believe has just such a safe guard, but I still
> think that's a horribly ineffective defense.

But what would you recommend as replacement? You pointed out that the
deluge of confirmation e-mails were a PITA; but imagine if that site
had *not* used any confirmation (all too frequent, still, these days),
then your friend would instead have received a potentially *much*
huger quantity of mail. And they would not have stopped
coming. Well-executed mail-bombs have that behavior; your friend
should thank his/her lucky stars that the attacker was apparently a
moron.

Remember that it's almost as easy to write a Perl script to
auot-submit to 50 separate sites, each with a different mailing list,
as to auto-submit to a single site with 50 mailing lists; so the fact
that all those lists were at one spot doesn't really perturb me.

But there really isn't any other way I can think of to confirm e-mails
reliably.

> > A's system doesn't necessarily have to be too terribly smart for this
> > to work: especially if the confirm bots standardize on procedure.
> > 
> > The common e-mail confirmation request expects some random string in
> > the Subject line or the message body. So if confirmation bots make a
> > habit of including the subject line and original message, similar to
> > what most mail readers do when you hit the "Reply" button, then we
> > should be okay.
> 
> One hopes :-).  I view autoresponses in general as basically evil.

Yeah, I'm not sure about how I feel in using them for auto-spam
confirmations. They are an absolute necessity for mailing lists though
(as explained above).

-Micah