[vox] Re: spam control: send email to confirm

Sam Peterson vox@lists.lugod.org
Wed, 25 Jun 2003 19:48:52 -0700 

On Wednesday, Jun 25 2003, Micah J. Cowan spake thus:
> On Wed, Jun 25, 2003 at 03:37:44PM -0700, Sam Peterson wrote:
> > > Something which wouldn't prevent this abuse (but could make it less
> > > effective), would be to keep a temporary record of confirmation
> > > requests sent out recently, and not resend them to the same address
> > > for a given period.
> > 
> > The above website I believe has just such a safe guard, but I still
> > think that's a horribly ineffective defense.
> 
> But what would you recommend as replacement?

I don't have any recommendations, I don't know how to implement a
better defense given the email system :-).  This mechanism is
effective for one user.  However, in the volume bombing idea I
mentioned, it can't guard against having multiple users at the same
site bombed, which is what I was stating is the problem.  One user
being bombed this way is no big deal, several 100 to several 1000
email address in one firm however, ouch...

Unlikely, but ouch.

> You pointed out that the deluge of confirmation e-mails were a PITA;
> but imagine if that site had *not* used any confirmation (all too
> frequent, still, these days), then your friend would instead have
> received a potentially *much* huger quantity of mail.

I agree confirmations are a good thing, they're meant to already
circumvent a much more evil mail bomb.

> Remember that it's almost as easy to write a Perl script to
> auot-submit to 50 separate sites, each with a different mailing list,
> as to auto-submit to a single site with 50 mailing lists; so the fact
> that all those lists were at one spot doesn't really perturb me.

Saves lots of time in gathering a bunch of mailing lists though :-).

> But there really isn't any other way I can think of to confirm
> e-mails reliably.

PGP/GPG but that's way too complicated a bag-o-worms to open up for
mailing list subscriptions.

> > > A's system doesn't necessarily have to be too terribly smart for this
> > > to work: especially if the confirm bots standardize on procedure.
> > > 
> > > The common e-mail confirmation request expects some random string in
> > > the Subject line or the message body. So if confirmation bots make a
> > > habit of including the subject line and original message, similar to
> > > what most mail readers do when you hit the "Reply" button, then we
> > > should be okay.
> > 
> > One hopes :-).  I view autoresponses in general as basically evil.
> 
> Yeah, I'm not sure about how I feel in using them for auto-spam
> confirmations. They are an absolute necessity for mailing lists though
> (as explained above).

Agreed.

-- 
----------------------------------------------------------------------
| sam -- Programmer I                                                |
| University of California, Davis : Hart Interdisciplinary Programs  |
| GPG Fingerprint: 4F08 E33E 92A2 EA88 CE75  75DC D84C 6046 0240 515F|
----------------------------------------------------------------------