Keith Moore wrote: >>>Will not the spammers soon learn to send their spams with >>>one of these addresses as bogus sender? >>> >>You overestimate the spammers :-). Most probably have no idea what IETF >>is or that they're spamming an IETF list. >> > > I dunno. I've received several complaints from people who've received > spam with my address in the From field. I don't know if I'm being > singled out by a spammer (maybe he got angry at my "I support the death > penalty for spammers" bumper sticker?), or if spammers are starting > to forge addresses in general. > > But if history is any indication, spammers should not be underestimated. > They have proven quite capable of learning how to circumvent various > kinds of filtering. We recently had a similar problem on the end2end-interest list, and a few other lists I manage. Regarding the above, one possibility is that any email address that appears on a web page may, at any time, be used either as source or destination by a spammer. I considered some of the solutions the IETF is recommending, and rejected the "closed list" requirement because we (and I believe many IETF mailing lists) have too many members that have preferred delivery addresses that aren't correlated to their source address. What we are doing is: - use procmail to filter mail using well-known weighted-keyword lists, it adds a "X-Possible-Reject:" header (when the weight is exceeded) mail with this header is then held in a spam file which is verified periodically by the moderator (errors are resent to the list and routed around procmail) using my own set of filters, it adds a "X-Holdforapproval:" header when indicated mail with this header is held in mailman... - we use mailman for processing posts mail with "X-Holdforapproval:" is held The reasons: 1) "closed list" (poster must be subscribed) is not viable for users with uncorrelated delivery and post addresses, and discourages non-member posts (which is restrictive for open dialogue, IMO). 2) procmail has more powerful filters than mailman (or most other maillist systems I've seen) There are details to tying any two systems together; in this case, they relate to userid/groupid coordination, /etc/aliases, etc. As with any solution, this doesn't satisfy all subscribers. It does, IMO, a) maximize convenience to posters (not requiring subscription to post, encouraging open dialogue) b) minimize pain to subscribers (avoiding multiple subscriptions or post-from-subscribed-address problems) c) minimize maintenance effort by the moderator (avoiding maintaining lists of alternate posters or approved posters) This is not the only viable solution to this problem. I do disagree with the IESG's policy on the following three items: re #1) just because a post comes from a subscriber doesn't ensure it is not spam (assume 'spam' is a car advertisement, e.g., not a quality assessment of a participant's post :-). re #2) potential spam should be just that (as indicated), but one-day turnaround is too much work. posters should avoid using spam trigger words (e.g., this option needs viagra) re #5) checking the list of known addresses needlessly endorses a single solution. as shown above, there are others, and it should be up to the list maintainer to decide what to use Joe