List-Managers: Re: Wow..I just saw it for myself - spam to confirmed list

List-Managers
(March 2003)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Wow..I just saw it for myself - spam to confirmed list - hard
From:	Alvin Oga <alvin @ planet . fef . com>
Date:	Thu, 6 Mar 2003 22:39:58 -0800 (PST)
To:	inet-list @ vo . cnchost . com (JC Dill)
Cc:	list-managers @ greatcircle . com
In-reply-to:	<3E678854.3020607@vo.cnchost.com> from "JC Dill" at Mar 06, 2003 09:41:40 AM


hi ya

> JC Dill wrote:
> 
> David W. Tamkin wrote:
> > When Alvin Oga wrote,
> > 
> >>    - a good list manager sw will be able to defeat this
> >>    faked autoconfirmation from a supposed human confirmation
> > 
> > Jim Galvin asked,
> > 
> > | Would you please describe how one could detect that a message came from
> > | a human and not an autoresponder?
> > 
> > Perhaps to confirm one would have to follow some instructions other than just
> > replying.  (Such a requirement would lock out attempted subscriptions by
> > humans who won't read instructions, but that might be a good thing.)  For
> > example, autoresponders are likely to quote back (a) none of the received
> > text, (b) all of the received text, or (c) a certain amount from the top of
> > the received text.  So if the applicant is sent two confirmation codes and in
> > order to confirm has to return only the lower one without the upper one, a bot
> > is likely to fail.  Or if the confirmation code needs to be edited slightly --
> > say it is twelve characters long, and it has to be sent back with the first
> > five characters moved to the end -- a bot is likely to fail.
> > 
> > And of course, so are 98% of human applicants.

if the sw fails and bounces a human replying to their real subscription,
than the "anti-spambot" detection failed
	( i dont like false positives )

> Which makes it very odd that you would consider this "good list 
> management software".  If list management software could distinguish 
> between a reply-bot and a human, for it to be considered "good" it would 

i'd guess that most auto-responders will put in some headers ... :-)
	- pick a set of random autoreponder from say "info@someplace.com" 
	  and see what different headers it has

	( that is the assumption that you can use to reject confirmations
	( from auto-spambot subscriptions

> have to do it in a way that doesn't foil the normal human subscription 
> confirmation process.  IMHO, such a software product doesn't exist, 

yup.. no such thing yet

> because there is no way (via text email) to make the process both easy 
> for the human and difficult for a reply-bot.  That is why many large 
> free sites are using "type in the word you see in the graphic below" to 
> thwart subscribe-bots, but this technique doesn't work in a plain-text 
> email world.
> 
> Will this be the end for "plain text email for those with no web access" 
> mailing lists?

for business mailing lists...
	i'd deny all access from yahoo/hotmail/excite/etc..etc..

	- web based mails and perl scripts(?) to  to/from/subject headers
	are probably the worst spam offenders  ( too easy to do )

for personal mailing lists...
	i'd use a whitelist of subscribers... ;-)
	which is the list itself ... ( no auto-subscribes )

c ya
alvin

References:

Re: Wow..I just saw it for myself - spam to confirmed list
From: JC Dill <inet-list@vo.cnchost.com>

Indexed By Date	Previous:	Re: Wow..I just saw it for myself - spam to confirmed list From: "Tatum, Richard" <rich@ChristianityToday.com>
Indexed By Date	Next:	Re: Wow..I just saw it for myself - spam to confirmed list From: "Roger B.A. Klorese" <rogerk@queernet.org>
Indexed By Thread	Previous:	Re: Wow..I just saw it for myself - spam to confirmed list From: Charlie Summers <charlie@lofcom.com>
Indexed By Thread	Next:	Re: Wow..I just saw it for myself - spam to confirmed list From: Bob Bish <bobbish@earthlink.net>