lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0609070915580.31500@turbotaz.ourhouse>
Date:	Thu, 7 Sep 2006 09:27:11 -0500 (CDT)
From:	Chase Venters <chase.venters@...entec.com>
To:	Stuart MacDonald <stuartm@...necttech.com>
cc:	'Chase Venters' <chase.venters@...entec.com>,
	'Krzysztof Halasa' <khc@...waw.pl>, ellis@...nics.net,
	'Willy Tarreau' <w@....eu>, linux-kernel@...r.kernel.org
Subject: RE: bogofilter ate 3/5

On Thu, 7 Sep 2006, Stuart MacDonald wrote:

> From: On Behalf Of Chase Venters
>> You can check the From: or envelope sender against the subscriber
>> database. Forgery isn't a concern because we're not trying to stop
>> forgery with this method. Subscribers subscribing one address
>
> Forgery is always a concern...
>
>> The perl script behaves as an optional autoresponder.
>> Autoresponders would
>> respond to spam as well (well, unless you put a spam filter
>> in front of
>> them, but I assume that many don't).
>
> ..because autoresponders are always replying to forged addresses:
> http://www.spamcop.net/fom-serve/cache/329.html
>
>> Also note that a number of people (myself included, at work
>> anyway) have
>> perl scripts that respond to all incoming mail and require a
>> reply cookie from original
>> envelope senders. We do it because it almost entirely
>> prevents spam from
>> arriving in our inboxes (I say almost because there is the occasional
>
> Autoresponder by another name, see above URL.

I should also point out that common and regular mailing list software 
already often behaves as an autoresponder, and it is completely 
reasonable! Suppose that you send a message to a mailing list that is 
subscriber-only. What usually happens? You get mail back saying that your 
message has been queued for moderator review!

Naturally, such a system suffers from the same problems described by 
the Spamcop page you linked. But it is unreasonable to ask list managers 
not to respond to unknown traffic, because sending a message to a list and 
having it silently disappear is unacceptable.

Now, I'm sure there are some people that don't run mailing lists that 
would love to call this behavior 'bad'. But there are also people who 
would like to rewrite the rules for Internet mail (see: SPF and the 
problem with mail forwarders, and their so-called 'solution'). Since 
Internet mail was designed in a vacuum where these modern problems don't 
exist, we're all forced to work around them in unusual ways. I find it 
highly ironic that spam blocker services tell you not to use certain 
techniques (autoresponders, bounce messages) that are not only 
commonplace, but precedented and even mandated by RFC on the grounds that 
they may cause you to be blocked. Then they move on to criticize anti-spam 
techniques that fall in these domains with one of their subpoints saying 
'they can cause you to miss legitimate mail!'

Guess what: so does indiscriminately blocking people whose sites don't bow 
down to your unreasonable demands, especially when their behavior (say, 
sending bounce messages) is described in the official protocol 
documentation.

Taking away auto-responders is like taking away hair gel from airline 
passengers: a gross overreaction that diminishes the quality of service 
for everyone.

> ..Stu
>

Thanks,
Chase
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ