From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/45903
Path: main.gmane.org!not-for-mail
From: Scott A Crosby <scrosby@cs.rice.edu>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: new spam functionality added
Date: 31 Jul 2002 16:07:23 -0500
Organization: Rice University
Sender: owner-ding@hpc.uh.edu
Message-ID: <oyd8z3r4nec.fsf@sam.cs.rice.edu>
References: <m3lm7rya31.fsf@onyx.nimbus.northernlight.com>
	<oydy9br1xnb.fsf@sam.cs.rice.edu>
	<ilu3ctz8xja.fsf@latte.josefsson.org>
	<87y9brejam.fsf@mail.paradoxical.net>
	<oydu1mf4oxi.fsf@sam.cs.rice.edu>
	<873ctztyth.fsf@mail.paradoxical.net>
NNTP-Posting-Host: localhost.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: main.gmane.org 1028149703 5470 127.0.0.1 (31 Jul 2002 21:08:23 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Wed, 31 Jul 2002 21:08:23 +0000 (UTC)
Return-path: <owner-ding@hpc.uh.edu>
Original-Received: from malifon.math.uh.edu ([129.7.128.13])
	by main.gmane.org with esmtp (Exim 3.33 #1 (Debian))
	id 17a0hh-0001Py-00
	for <ding-account@gmane.org>; Wed, 31 Jul 2002 23:08:21 +0200
Original-Received: from sina.hpc.uh.edu ([129.7.128.10] ident=lists)
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 17a0hA-0007YX-00; Wed, 31 Jul 2002 16:07:48 -0500
Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Wed, 31 Jul 2002 16:08:14 -0500 (CDT)
Original-Received: from sclp3.sclp.com (qmailr@sclp3.sclp.com [209.196.61.66])
	by sina.hpc.uh.edu (8.9.3/8.9.3) with SMTP id QAA09462
	for <ding@hpc.uh.edu>; Wed, 31 Jul 2002 16:07:59 -0500 (CDT)
Original-Received: (qmail 16307 invoked by alias); 31 Jul 2002 21:07:25 -0000
Original-Received: (qmail 16302 invoked from network); 31 Jul 2002 21:07:25 -0000
Original-Received: from cs.rice.edu (128.42.1.30)
  by gnus.org with SMTP; 31 Jul 2002 21:07:25 -0000
Original-Received: from localhost (localhost [127.0.0.1])
	by cs.rice.edu (Postfix) with ESMTP id 0A53B4AA0A
	for <ding@gnus.org>; Wed, 31 Jul 2002 16:07:25 -0500 (CDT)
Original-Received: from sam.cs.rice.edu (sam.cs.rice.edu [128.42.3.145])
	by cs.rice.edu (Postfix) with ESMTP id F38DF4AA09
	for <ding@gnus.org>; Wed, 31 Jul 2002 16:07:23 -0500 (CDT)
Original-Received: by sam.cs.rice.edu (Postfix, from userid 14314)
	id B3E3B740DC; Wed, 31 Jul 2002 16:07:23 -0500 (CDT)
Original-To: ding@gnus.org
In-Reply-To: <873ctztyth.fsf@mail.paradoxical.net>
Original-Lines: 112
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp)
X-Virus-Scanned: by AMaViS snapshot-20020300
Precedence: list
X-Majordomo: 1.94.jlt7
Xref: main.gmane.org gmane.emacs.gnus.general:45903
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:45903

On Wed, 31 Jul 2002 16:41:30 -0400, Josh Huber <huber+dated+1028579883.ab0915@alum.wpi.edu> writes:

> Scott A Crosby <scrosby@cs.rice.edu> writes:
> 
> > Please don't.. TMDA is tragedy of the commons. It only helps one
> > person by putting extra work and effort upon everyone else. If
> > everyone used it, things will turn to crap.
> 
> I disagree.  With all of TMDA's facilities for tagging messages which
> expire, keyword addresses and sender addresses most people don't even
> know you're using it. (apart from a funny looking dated email
> address).
> 
> In practice, over the past 2 weeks the only messages which have
> appeared in my pending queue have been spams.  It's worked 100%, with
> 0 false positives.  I used an initial seed whitelist based on my
> outbox and a few other sources, and it's been working quite well.

Because its tragedy of the commons, I bitbucket any TMDA user. (and if
I start getting too many of em, I'll make a public blacklist of em.)

> 
> What don't you like about it?
> 

Well, Jack Twilly phrased one of my problems most elegantly. :) TMDA
''works'' by pushing work onto everyone else.. You know, tragedy of
the commons.

Here's a post I did a while ago on why I don't like it, or any other
scheme requiring autoreply-crap for communication.

++
   No.. Think of it carefully.. TMDA works by polluting everyone
   else. By forcing everyone else you contact to do extra work. This
   is tragedy of the commons.

   Imagine a world where everyone uses it (or something similar), but,
   say, 10% have it misconfigured. This is a world with mailing lists.

   Mailing list maintance functions (including initial requests to
   subscribe, or confirmation requests from web-maintance.) either get
   accepted automatically, (direct route for spam!), or force the
   mailing list admin to deal with the automated 'please reply to me'
   messages.. Which they'll ignore, then they'll still get users
   asking why email subscriptions don't work.

   Mailing list messages... Post to a mailing list the first time and
   potentially get tens, hundreds, even thousands of 'please reply to
   me' messages. Hey, they only take a second each to deal with!

   Now, imagine there's a daemon that autoreplies to such 'please
   reply to me' messages.. Well, just forge the spam to appear to come
   from a legitimate user, and guess what, the bounces go to them, and
   their client helpfully 'authenticates' the spam.. (The daemon can't
   be configured to record every email sent and only autoreply to
   autoreplies to emails the user actually sent. Many times people
   will use many systems and email servers, but only one email
   address.)

   For more fun, you may even get mail loops of 'please reply to me'
   messages.

   Now, in the above examples, you can eliminate this undesireable
   behavior by automatically accepting, unchecked, mailing list
   maintance messages, or autoreply messages, or a blanket opening for
   mailing list messages... However, spam can be easily forged to
   appear to be a maintance message or an autoreply message.

   Under the assumption that there *will* be misconfigured clients,
   they'll have to deal with mailing lists that they don't know
   about. either by spamming posters to the list (unacceptable), or
   filtering them out into a seperate folder that the user will have
   to manually check.

   In all cases, if the 'please reply to me' messages are mechanically
   replyable, then a daemon will be created to deal with that trash
   automatically, and most users will use it. (So, spammers can forge
   their email to come from almost any user, and the daemon of the
   forged address will reply.) Or, those messages can be used to
   indicate that an email address is live. (Send a message to someone
   using TMDA, confirm that they use TMDA, now you know you can forge
   spam from that address and their daemon will authenticate it for
   you for free!)

   Of course the other option here is to spam from legitimate hosts
   that have been cracked by today's IIS/outlook worm. (Or one of the
   30,000 *STILL* infected code-red machines.) The cracked systems run
   email servers and reply automatically.

   Now, if the 'please reply to me' messages are NOT mechanically
   replyable, then we've saturated the internet with an even larger
   amount of trash and mail pollution that has to be dealt with on a
   message-by-message basis. (As per the above scenario's.)

   In any case. TMDA is not a solution, its a problem.

   TMDA and any other scheme that requires such automated response to
   all sent emails is tragedy of the commons. There's no better
   example. It superficially helps the user, to the detriment of
   everyone else. Ergo, it will proliferate and everyone will be even
   worse off.

++


> Well, it's archived on nntp+quimby.gnus.org:gnus.ding, which is where
> I read/post.

Thanks!

Scott