On 23 Jun 98, at 22:58, Nick Demos wrote:

> There is still a big loop hole here in ANY Case, UNLESS there is
> a way to control who subscribes.  If I am a spammer who subscribes,
> I can get, in a short time, the email address of everybody on the list. I
> am sure i don't need to go into how this might be done.

This is true and also immaterial.  The vast majority of current UCE is
generated by web harvester programs that crawl the web, read html, and
extract strings that look like valid addresses.  This is why some of the
people here have strings like "nospam" in their e-mail addresses.  The
traffic that goes from this list to the USENET gets archived at places like
Deja-News along with the e-mail address that you used.

Web Harvester programs (Bulls Eye Gold for example) all have formatting
signatures that can be used by reasonable e-mail client software to filter
them at destination.  The originators of such crap also invariably route
their material off open smtp relays using forged addresses. The only stuff
like this that gets through my filters now is material that is mindlessly
rebroadcast through a "trusted source" like a mailing list digest that I
subscribe to.

If all mailing lists had posting privileges limited to subscribers only, and if
all mailing lists required that a subscriber authenticate their e-mail
address; then automated UCE would be virtually eliminated from such
lists.  Current versions of LISTSERV, MAJORDOMO and LISTPROC all
have this functionality.  Is it really that inconvenient for people to have to
join a discussion list before posting to it?  Is it too much to ask that they
verify their address before being permitted to join?

Once all the automated stuff is blocked then the risk of a spammer
manually subscribing a real e-mail address to a list, confirming that
address, and then spamming from it is so remote as to be non existent.

The people that run these UCE programs go to some trouble to disguise
themselves and the origin of their traffic.  Exposing themselves to
detection and identification by using a real address just to hit one list is
not cost effective and is not a good risk.  Like a house having good lock
and decent outside lighting prevents the majority of burglaries, automated
subscription authentication provides sufficient deterrent that these people
will pass on to reach easier target.

The same comments go for list harvesters.  These are programs that
systematically hunt down, subscribe to, and extract the subscriber lists
from mailing lists.  They use a real address to subscribe and receive the
information that they seek and then use a dummy one to send out their
crap to the harvested addresses.  Again, forcing these programs to
authenticate a subscription request breaks them.  They don't have the
smarts for that and it isn't worth while for them to try and make such a
feature work.

UCE orcs / spammers are LAZY! They don't want to work for their bread
which is why they do what they do to begin with.  All a mailing list
manager has to do is make it a little difficult for them and they will go
away and bother someone else.

Regards,
Jim
---
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
mailto:[log in to unmask]  Canada L8E 3C3