| |
| |
| |
|
Comments:
<0> Hi. Is it possible to make qmail execute a program using .qmail without p***ing the incomming mail as argument? I only need to execute "command" whenever some new mail arrives. Is there any other way except from using .qmail?
<1> Hi. I've read somewhere that ezmlm can be configured to accept subscriptions by email only from a list admin/owner. I can't seem to find the way to do that in the ezmlm-make man page though. Any ideas?
<1> Found it: http://www.ezmlm.org/faq/FAQ-17.html
<1> Just had to figure out the right key words for Google.
<1> I wonder how feasible it would be to use cryptographic keys for authenticating with lists.
<1> I'm surprised we don't see more spam on mailing lists from spammers posing as list subscribers.
<1> All they have to know is the email address for one subscriber and that's it, they can reach thousands of legit email addresses in one shot.
<1> PKI auth would eliminate that risk, though I wonder what sort of server overhead it would impose.
<2> true, but that's more work than a spammer is willing to perform. It's even easier to 'dictionary' spam a botnet onto a domain
<1> It's only a matter of time. As we make it harder for spammers to spread their crap, they will work harder.
<1> e.g. we made it harder for thieves to steal cars by putting alarm systems and ignition systems that only accept keys with the right chip on them.
<1> What happened?
<1> The thieves started holding up people at gunpoint for their keys.
<1> .. carjacking
<1> Same idea. As long as the low hanging fruit is there, they'll pick it. Make it tougher, and they'll get a ladder to pick the higher fruit.
<2> Security is always about not being the lowest hanging fruit on the vine.
<2> just a fact. You don't need perfect security, just better than your neighbors
<1> Sure. I was thinking of PKI not just from the pov of preventing spam but also of identifying the sender so that we don't have to jump through as many hoops to verify email addresses and such.
<2> domain keys already try to do that sort of thing
<2> PKI is nice, but people just haven't bought into it
<1> That doesn't identify the individual sender.
<2> some mailing lists already do use strong authentication, with something like qmail and ezmlm it's trivial to add, all you need is a pre-filter that rejects unsigned messages right before the distribution stage
<1> You're right. The 'aha!" moment seems to happen when you show them how easy it is.
<2> I thought about putting one in on a list of mine, but I decided it wasn't worth it.
<2> For some lists where it has become a problem, notably one moderated list I'm on, you have to put a 'magic word' in the subject line to enable the moderators to sort the good from the bad
<1> Actually, you're talking about signed messages. I was talking about something else but that would work too.
<2> They automatically delete anything that doesn't have the 'p***word' in it.
<1> If the archives are public, it wouldn't take long for the "secret" to be discovered, but that's effort.
<2> You're talking about signed messages too, you are just differing in what you consider the 'message'.
<2> Exactly
<1> yes
<2> the 'secret' is well known and published, but spammers won't go to that effort.
<1> sure
<1> It's annoying to clutter subject lines though.
<1> I wonder if MUAs can add headers.
<2> And that's the point. You don't need cryptography to defeat spammers. (Only the moderators see the keyword, the simply drop it before reposting)
<2> Yep, they can.
<1> Ah.. it's a moderated list. I don't have any of those.
<2> Of course, anything sufficiently automated becomes a target for spammers.
<2> They take advantage of the automation just like we do.
<1> Mine are subscriber post only.
<1> If we get one piece of spam a year, it's a lot.
<2> But how many subscribers are there? 100? 1000? A spammer sends out millions per hour
<1> ~1000
<2> yeah, so a spammer couldn't care less
<1> So you're saying we're too small to care about?
<2> yep
<1> .. for them?
<1> So why do they go to so much effort to find my personal addresses then? :)
<2> they don't
<2> you're just harvested along with the rest.
<1> I suppose.
<2> Viruses mine harddrives for anything with an @ sign in it
<2> combine that with mail clients that 'automatically' save all email addresses that have been seen to enable easy replies (auto completion)
<1> That explains how email addresses that I've never published anywhere get discovered.
<2> and you have the fact that any computer that's ever handled an email you've sent becomes a vector by which your 'private' email address is exposed
<2> exactly
<1> I've obviously corresponded with others with them.
<2> And these viruses hit mail servers as well (i.e. windows)
<1> sure
<2> and so any intervening MTA and its logs are giving away tens of thousands of email addresses
<1> Are you using qmail btw?
<2> You can't control spam at the source, besides, one thing that spam has taught us is that spam isn't easy to define
<2> After all, one person's "spam" is another person's "valuable offer"
<2> The only meaningful difference is 'mail YOU' want versus 'mail YOU do not want'
<2> and that can only be handled on a per-user basis
<2> IMHO
<2> Any measure which doesn't produce an order of magnitude drop in spam volume is a waste of time.
<1> Nah.. at a minimum, I think we can agree that any sender that makes an effort to disguise the true nature of the message is sending spam.
<2> Not at all
<2> encrypted content is 'disguised'
<1> \/I/\GR/\
<2> what if I'm forwarding a particularly funny spam to a colleague?
<1> Yes, but spammers aren't sending me encrypted content.
<2> they're sending p***worded zip files
<2> and javascript encoded content
<1> Which I don't even se...
<1> see
<2> My point is that it's something you cannot differentiate at an MTA level
<1> true
<1> I'm not running any anti-spam measures at the moment.
<1> I was running Spam******in but was getting too many false positives.
<2> I run greylisting and it's the only thing I've found that's worthwhile at the MTA level
<2> because all it ensures is that the remote end is RFC compliant
<2> I also whitelist every known correspondent at a personal level
<2> http://www.paralipsis.org/2005/07/greylisting-some-good-some-bad
<1> I found that I was wading through the spam box anyway so why bother with the server load of running SA?
<1> Yeah, I've been reading about it.
<2> pretty much. Aything that isn't from a known-good sender, gets routed to a webmail service
<2> I then pull back whatever their spam filters don't catch via fetchmail and dump it into an imap box
<2> it's always spam (about 6/day), but that's out of the ~200 or so that are caught by it's spam filters.
<2> It's spam filters are sufficiently 'weak' enough, that it only catches the most eggregious spam
<2> but I still check the spam folder occasionally
<1> You use qmail?
<1> I'm using Postfix mostly but I just set up a Gentoo box running qmail.
<1> Everything but qmailadmin seems to work.
<1> I wish I could get qmailadmin going.
<1> Actually.. no. I can't fetch anything via POP either but I'm not worried about that right now.
<2> what's qmailadmin?
<1> qmailadmin - I can login, browse accounts I added from the shell, but I can't add new ones.
<1> Web control panel from inter7
<2> hm, never heard of it. Good luck though
<1> Seems like a permissions issue on the cgi.
<1> I'm getting an "internal server errror" when I try to save an account.
<1> I've seen that with wrong permissions before.
Return to
#qmail
or
Go to some related
logs:
dnsmasq ipv6 configuration
gentoo libtool: seems to be moved
ravencore and caching nameserver
error while loading shared libraries: libssl.so.0: cannot open shared object fil
xorg.conf xtest
Bareword SEEK_END
#kde
#centos
#linux
gmail atom C# 1.1
|
|