Tim wrote:
On Mon, 2006-01-23 at 16:26 -0800, Kenneth Porter wrote:
The page says that the challenge message preserves only the subject
line. How about injecting the subscriber ID into the subject line of
the monthly reminder emails? (I auto-file those to a separate
Administrivia folder.) That's the one regular message coming from the
list itself (ie. not a subscriber) so the bounce goes back to the
list admin where it can be analyzed to remove the miscreants.
The mailman patch should be published so that other lists can benefit
from this. I googled the uol.com.br domain and see the problem
reported on a lot of other lists.
Other mailing lists that I've been on avoid this sort of thing by having
a double confirmation when you sign up: You sign up, get sent back a
confirmation e-mail, you reply back to confirm, and another message is
sent to you confirming all of that.
The process requires interaction from you for the confirmations to work,
and a bounce message from a stupid anti-spam system wouldn't confirm
you, so you wouldn't get any list mail (and, therefore, couldn't send
idiotic bounces back to the list one way or another).
This list already uses a confirmation step. Thus the twit must have
received the confirmation message somehow and been able to follow the
instructions in it. Since the culprit appears to be forwarding mail from
some other domain to uol.com.br, it's possible that he or she may be
receiving their mail at multiple addresses and managed to confirm from
an address not behind the challenge-response spam system.
Paul.