[MUD-Dev] ADMIN: List configuration changes

J C Lawrence claw at kanga.nu
Wed Jul 31 13:18:21 CEST 2002 

Writing as list owner:

  Some of you have recently started receiving requests to confirm posts
  you've sent to MUD-Dev and may have been surprised by that.  This
  message is intended to discuss various changes I've recently (last
  night) made in the setups for MUD-Dev, their impact, and the reasoning
  behind them.

  In an effort to control SPAM and virus email sent to MUD-Dev, as well
  as the torrent of such mail sent to mud-dev-owner and mud-dev-admin,
  I've installed am extra filtering system in front of MUD-Dev.  The
  details were recently (briefly) discussed on Meta:

    http://www.kanga.nu/archives/Meta-L/2002Q3/msg00005.php
    http://www.kanga.nu/archives/Meta-L/2002Q3/msg00013.php

  Those interested in the background reasoning of the system as well as
  the forces driving its adoption may wish to see:

    http://mail.python.org/pipermail-21/mailman-developers/2002-July/012710.html

  Or for the cursory How-To I wrote on how I built the system:

    http://mail.python.org/pipermail-21/mailman-developers/2002-July/012700.html

  What does this mean for you in practice?  

    Loosely it means that if you send a message to MUD-Dev from an
    address which isn't listed as a subscriber you'll receive an email
    message asking you to confirm that you really did send it, and meant
    to send that message.  The confirmation request will look something
    like:

          From: List Filter System <mud-dev at kanga.nu>
          To: you at your.address
          Subject: Please confirm your message for final delivery
          Date: Wednesday, July 31, 2002 2:41 PM
          Reply-To: mud-dev+confirm+1028149476.13450.a0b07b at kanga.nu
    
          THIS IS AN AUTOMATED MESSAGE FROM A MACHINE.
    
          Your e-mail message with the subject of "Message subject here"
          is being held because your address was not recognized by the
          mail filtering system at kanga.nu.
    
          To release your message for delivery, please send a message to
          the following address, or use your mailer's "Reply" feature.
    
            mud-dev+confirm+1028149476.13450.a0b07b at kanga.nu
    
          You don't need to to anything other than reply to this message
          to have your original message delivered. This confirmation
          process verifies that your message is legitimate and not
          junk-mail.
    
          Thank you for your patience and assistance in helping keep the
          mailing list systems at Kanga.Nu SPAM free.

    Just reply to the confirm message and your message will be passed
    forward to the list and your address will be added to the whitelist
    so that future messages from you at that address are not held.

      Note: Don't worry if the exact text of the message you receive is
      different.  I'm rewriting it now to be a bit more friendly.

  How:

    All this was done by inserting a system called TMDA
    (http://www.tmda.net) in front of MUD-Dev.  TMDA is what is known as
    a "whitelist system".  A whitelist system is an automated system of
    building lists of known-good or known-bad email addresses, and then
    filtering mail on the basis of those lists.  The extra value that
    TMDA adds in particular is its system of building and maintaining
    those lists of addresses.

  Implementation details:

    All mail send to any of the list related addresses (list itself,
    -owner and -admin) at Kanga.Nu now passes through a TMDA filter
    system and:
  
      a) If the address you sent from is listed as a subscriber your
      message will go straight through to the list or -owner or -admin
      addresses as if TMDA were not there.  If the list is moderated
      your message will then be held for moderator review, otherwise it
      should be broadcast immediately.
  
      b) If your address is blacklisted (should never happen to a valid
      poster) your message will be bounced (and you'll receive a message
      telling you so).
  
      c) Mail from whitelisted addresses is passed through to the list
      or -owner or -admin addresses.
  
      d) All other mail is held by TMDA.
  
    TMDA then provides a confirmation system for held mail by sending a
    message back to the address that sent the held message, requesting
    confirmation that the poster not only exists, but really meant to send
    that message.  The confirmation message contains both instructions on
    how to confirm, and a copy of the original message.
  
      If the original sender follows the instructions in the
      confirmation request the held message will be sent straight
      through to the list or -owner or -admin addresses as if TMDA had
      never intercepted it.  Further, TMDA will add that address to its
      whitelist so that future email from that address will pass
      straight through TMDA and not be held.  In this manner
      non-subscribers can post to the list without having to subscribe a
      NoMail account or putting more load on the list moderator.
  
      If the original sender doesn't confirm his message TMDA will hold it
      for a while awaiting confirmation before silently deleting it.  As
      SPAMers almost universally don't run proper mail systems they never
      receive the confirmation requests from TMDA and so never confirm and
      thus their messages never get to the list, -owner, or -admin.  While
      it is possible that the very few SPAMmers who do run proper mail
      systems could build systems that can confirm TMDA requests (I
      haven't heard of even one yet that does), their population is so
      low, and they are so easily detected, that the effort of manually
      blacklisting them is not large.
  
        Should SPAMmers get the hang of TMDA, TMDA can trivially change
        its confirmation process to be less and less automatable --
        essentially making the confirmation process more and more of a
        Turing test.  Happily, that's not necessary yet.  The current TMDA
        method of, "Just reply to this message to confirm," works well for
        now.
  
  Summary:

    The end result is that subscription and posting rights for
    TMDA-fronted lists have effectively been separated.  You now
    subscribe to a list to receive mail from the list (and establish an
    initial address from which you can post to the list).  You simply
    send mail to the list (and confirm each email address) to be able to
    send messages to a list.  Asides from establishing a default allowed
    address to post from, subscribing to a list no longer has a relation
    to being able to post to a list.

  In less than a day's operation it has already trapped 23 SPAM and
  6 virus emails.  Even more pleasantly from my end, there hasn't
  been a single non-MUD-Dev message in the queue in that time.
  Moderation is now back to what it should be: working on list
  messages, not dealing with offers to trash my machine or give me
  blimp sized mammaries and a Nigerian investment scheme.

--
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw at kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.


_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list