On Tue, Apr 25, 2023 at 12:12:05AM +0200, Björn Persson wrote: > Kevin Fenzi wrote: > > On Sun, Apr 23, 2023 at 11:21:58PM +0200, Björn Persson wrote: > > > Kevin Fenzi wrote: > > > > We could probibly come up with some > > > > better way to start new topics/discussions > > > > > > Yes I think I can come up with a better way. Give each tag its own > > > email address, like a mailing list. That was very easy to come up with. > > > > I think you mean each category? > > I don't know Discourse but we're told that something called a tag is > roughly equivalent to a mailing list. I suppose categories could have > addresses too. I'm not sure I would say that... I guess there's no 100% equivalents here. categories are like "Project Discussion" or "Ask Fedora" and tags can be any number on any thread. ie, under "Project Discussion" there's a post about the new website fronpage revamp: https://discussion.fedoraproject.org/t/fedora-workstation-front-page-revamp-first-cut-looking-for-feedback/37169/160 that has tags "mindshare websites-and-apps-team design-team marketing-team" You can watch a category, or a tag or multiple tags. I guess it depends on the level of things you want to get. > > But you may want multiple tags on a post... > > Like Vít said, you can send to multiple addresses. That's how you > cross-post to multiple mailing lists. The Discourse server would then > read all the addresses and apply all of those tags and/or categories > to the post. > > When there are multiple recipient addresses in the same domain, a > well-behaved SMTP client is supposed to transmit a single copy of the > message in a single SMTP session with multiple RCPT commands. Thus the > Discourse server will receive only one copy. > > It is however possible that some badly written program might mishandle > such a message and send a separate copy to each recipient address. Each > copy would then still contain the whole list of addresses in the To and > CC fields. If the Discourse server would read the header fields and not > just the SMTP envelope, then the copies would appear as duplicate posts, > each with the full set of tags, not as separate posts with one tag each. > > If duplicates would turn out to be a great nuisance, then the Discourse > developers might want to add a deduplication feature. The Message-ID > field would be useful for discovering duplicates, but deduplication > should not be done based on the message ID alone. The full contents > should be compared to ensure that the messages really are identical, in > case some defective or malicious email client produces non-unique > message IDs. Sure, thats all possible. > As you can see, it doesn't take any great inventions to do this. The > email standards already contain the necessary features. They just need > to be implemented, if the Discourse developers are serious about > supporting interaction by email. well, as you well know, coming up with ideas on how things could work is often the easy part. :) I have no idea how willing they would be to work on this... but you can ask on https://meta.discourse.org/ > > > But that also doesn't solve the spam problem... anyone could send to > > those addresses, and indeed spammers will. ;( > > We're told that only sender addresses associated with a Fedora account > are allowed to send to the single global new-topic address. Obviously I don't think thats the case at all. Currently I think anyone can send, it just gets moderated. But I would defer to Matthew here... > that would apply to the tag (and category) addresses too. That's > analogous to reducing spam to mailing lists by accepting posts only > from subscribers. It's worth noting that if you get emails from discourse the reply-to is set to a hash so it knows who you are and what you are replying to so it can insert it in. > > In what scenario do tag-specific new-topic addresses result in a worse > spam problem than a single global new-topic address? Currently as far as I know if you send in, you need to either be using a reply-to that has the right hash or sending to the global email which will be moderated. If we unmoderated the global address it would be the same spam problem as new-topic ones would have (although that would help solve the topic problem). > > > But perhaps this could be useful with some other way to autenticate > > posts. > > I haven't seen spammers impersonate subscribers in the mailing lists. > The occasional spam that gets into the mailing lists seems to be done > by subscribing a disposable address and sending from that address. Usually yes. I have seen impersonations in the past. It doesn't seem to be as common anymore. > > If spammers would start putting in a legitimate user's address as sender > to get the spam into mailing lists or Discourse, then there's DKIM. I > have found DKIM by itself ineffective, as most of the spam is DKIM- > signed now, but DKIM combined with a requirement for a known sender > address should be sufficient authentication to stop spam. The spammer > would at least have to actually send from the same domain as the user > they impersonate. Perhaps. I don't know if discourse can implement some kind of incoming checks on emails. Matthew? > > For registered users whose email provider doesn't sign their messages > with DKIM, a verification message could be sent that they have to reply > to, like when signing up for a mailing list but repeated for every post > that isn't a reply. There's also OpenPGP/MIME. But I rather doubt that > such measures will be needed just to fight spam. Strong authentication > is for preventing more targeted attacks than spam. Yeah, thats another possible solution... just require a ack/confirm to post. That would stop a lot (but not all) spammers. Also throttling could be possible. Only X new posts from a address in Y time. Anyhow, we should probibly try and move this upstream and see if they are willing to work on any of this, or have other plans of their own. ;) Thanks for the constructive discussion! kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
