Steve, if you can come up with a policy that is actually enforcable by any
application/combination of programming and technology, or one that is even
articulatable, and it represents something that I want to do, I'd go with
it. It would have to be based on a detectable sequence of actions, of
course, so that it could be programmed at all.
So far, all I've seen is that "someone signing up for a lot of lists might
be a address harvester".
I run lists on my site that relate to road-rallying, firearms, scuba
diving, western style shooting, science fiction, and Howard Stern. Is it
impossible that someone might discover my site and decide that they are
interested in these things? Heck, I'm interested in all of these things,
that is why the lists are here. It is not impossible that another
individual would be interested in many or all of these things?
I've actually found the conversation here very enlightening. So far, I
have been inspired to implement a web based confirmation engine - I've been
convinced that there are folks who simply can't send the mail required by
majordomo for confirmation, even thought they might be able to start the
subscribe process. --- although they might be able to click on a URL.
I've patted myself on the back for having switched to MD5 auth codes from
Majordomo hashes. I've put something else on the list of things that
demime must do (decode QP subjects) and so forth.
But I'm still unsure as to when to decide that a person subscribing to a
lot of lists is an attack. Should I put a list up with a description that
says, "subscribe to this list to be barred from all other lists?" This
would be something that any human would notice but which an automated
attacker might not.
In my web subscription interface, I build a giant page that lists every
public list on my system. The user has already exchanged a confirmation
token by e-mail, and the subscription process that the user sees at that
point is as simple as checking a box and then confirming on the web. (Why
yes, I do use majordomo, but not majorcool). So I get a lot of people who
come for one list and then decide to try 3-4 more. Sometimes these are
users who have been using my system for years. Sometimes I get unsubs
after a day, sometimes not. I just do not think of multiple list subs as a
bad thing, unless the intention is misuse. And I don't think that the
"psychic board" is supported under Linux - they won't release the specs so
no one can write a driver.
I'm just throwing out an idea here. I don't think that there is a good
thing that we can do here, or if there is I don't understand it. In many
cases, I see this as something that only a human moderator can deal with -
at some point, use becomes misuse, and it takes a human to draw the line.
If you have a better idea, I'd love to hear it.
At 09:26 AM 10/15/99 -0500, Steve Bergeon wrote:
>Yeah it's simple, even simplistic. Also reactive and after the
>fact. You all would rather have your beepers go off and have
>to scramble around at whatever hour to close the barn doors
>after the fact rather than be proactive and enforce a policy
>by the use of technology? Isn't that like saying you would
>connect to the internet without a firewall and just yell at
>whoever violates your assumed policies?
>Maybe policy implementation is a foreign term for this list.
>Chris McEwen wrote:
>> Sure. I'll enforce the policy. You fool around on my system and I block
>> domain. That seems simple.
I'm going to change my name to 'Squawk' because that is what my parrots
Nick Simicich mailto:email@example.com or (last choice)
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!