EMBARRASSING TO THE LIST: Re: *WARNING* Your Email Account Will Be Closed

Marco Colombo marco at esi.it
Tue May 31 12:55:32 EDT 2005

On Tue, 2005-05-31 at 09:59 -0400, Joseph Brennan wrote:
> --On Tuesday, May 31, 2005 11:47 AM +0200 Marco Colombo <marco at esi.it> 
> wrote:
> > Server-side global content-based filtering is silly, unless of course
> > it's your (private) server. Users are expected to do their own
> > filtering, otherwise they're exposed anyway. Server-side filtering (on
> > public servers) is just false sense of security.
> I strongly disagree.  Users just want spam to go away.  They do not want
> to configure filters.  They're not very good at it either: they usually
> just add the sender address to a blacklist, and that does almost nothing
> for them.  It's not a security issue.  It's annoyance reduction.

Configure? Manual blacklisting? What are you referring to?

I've being using both Evolution and Thunderbird, and both filter SPAM
(and thus most viruses of course) like a charm, and I've configured
nothing. All I have to do is to hit 'Junk' instead of 'Delete' (like I
used do to before having any filter) on spam. Once in a while, I quickly
look at the Junk folder, and very rarely recover a false positive. No
configuration needed at all.

Anyway it seems we have a different meaning for 'users'. If you mean
employees of a company, well for sure they'll get filters on their
(company) server. If you mean customers of an ISP, they may get
filtering as well (but I'd prefer marking, or storing to a special
folder, instead of silently dropping).

My point being: the purpose of the mailing list software is not to
provide a safe email service to 'customers' or 'employees'. That's
someone else's job. The software might place restrictions (on message
size, attachments, and so on) but it's only to enforce _list_ policies,
not end-user security (or comfort). For example, a list with 100,000
subscribers may sensibly avoid forwarding 10MB in a single message. But
that's another matter.

> If this list could possibly restrict posting to subscribers that
> would go a long way.  That is pretty routine for lists.

And pretty useless. Address forging can be easily automated. More than
1/2 of the spam I see on our servers already forges the sender domain. A
nice fraction of it learned how to forge our staff's address already, so
I got some forged messeges telling me that _I_ have locked my own
account down, for example. 

As for it being 'routine', I'm currently subscribed to about 20 lists,
and only 2 of them are subscribers-only. Not surprisingly, both have
nothing to do with e-mail software.

IMHO, any list that aims at random users (info, bug reports, and so on),
should minimize the annoyance of posting a single message. It may be
different for -devel or SIGs lists, tho. 

      ____/  ____/   /
     /      /       /                   Marco Colombo
    ___/  ___  /   /                  Technical Manager
   /          /   /                      ESI s.r.l.
 _____/ _____/  _/                      Colombo at ESI.it

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list