Keith Moore wrote:
Will not the spammers soon learn to send their spams with
one of these addresses as bogus sender?
You overestimate the spammers :-). Most probably have no idea what IETF
is or that they're spamming an IETF list.
I dunno. I've received several complaints from people who've received
spam with my address in the From field. I don't know if I'm being
singled out by a spammer (maybe he got angry at my "I support the death
penalty for spammers" bumper sticker?), or if spammers are starting
to forge addresses in general.
But if history is any indication, spammers should not be underestimated.
They have proven quite capable of learning how to circumvent various
kinds of filtering.
We recently had a similar problem on the end2end-interest list, and a
few other lists I manage.
Regarding the above, one possibility is that any email address that
appears on a web page may, at any time, be used either as source or
destination by a spammer.
I considered some of the solutions the IETF is recommending, and
rejected the "closed list" requirement because we (and I believe many
IETF mailing lists) have too many members that have preferred delivery
addresses that aren't correlated to their source address.
What we are doing is:
- use procmail to filter mail
using well-known weighted-keyword lists, it
adds a "X-Possible-Reject:" header (when the
weight is exceeded)
mail with this header is then held
in a spam file which is verified
periodically by the moderator
(errors are resent to the list
and routed around procmail)
using my own set of filters, it adds a
"X-Holdforapproval:" header when indicated
mail with this header is held in
mailman...
- we use mailman for processing posts
mail with "X-Holdforapproval:" is held
The reasons:
1) "closed list" (poster must be subscribed) is not
viable for users with uncorrelated delivery and post
addresses, and discourages non-member posts (which is
restrictive for open dialogue, IMO).
2) procmail has more powerful filters than mailman
(or most other maillist systems I've seen)
There are details to tying any two systems together; in this case, they
relate to userid/groupid coordination, /etc/aliases, etc.
As with any solution, this doesn't satisfy all subscribers. It does, IMO,
a) maximize convenience to posters
(not requiring subscription to post,
encouraging open dialogue)
b) minimize pain to subscribers
(avoiding multiple subscriptions or
post-from-subscribed-address problems)
c) minimize maintenance effort by the moderator
(avoiding maintaining lists of alternate
posters or approved posters)
This is not the only viable solution to this problem. I do disagree with
the IESG's policy on the following three items:
re #1) just because a post comes from a subscriber
doesn't ensure it is not spam (assume 'spam' is a
car advertisement, e.g., not a quality assessment
of a participant's post :-).
re #2) potential spam should be just that (as indicated), but
one-day turnaround is too much work. posters should avoid
using spam trigger words (e.g., this option needs viagra)
re #5) checking the list of known addresses needlessly
endorses a single solution. as shown above, there are others,
and it should be up to the list maintainer to decide what
to use
Joe