administrivia

B5JMS Poster b5jms-owner at shekel.mcl.cs.columbia.edu
Mon Jun 1 20:34:53 EDT 1998


This is a message from the maintainer of B5JMS and B5JMS-DIGEST concerning
the possibility of spamming the B5JMS list.

The list processor software I use is Majordomo and it is currently
configured so *anyone* can issue the "who" command.  A couple of users
reminded me of the possibility that spammers might abuse this command and
then spam the subscribers of the list.  While I knew of that possibility for
some time, I never received any evidence that this had happened.  However,
I'd rather not wait for someone to spam all ~3800 subscribers of the B5JMS
lists.  Therefore, I am considering restricting the B5JMS lists so that no
one may get a complete listing of all users.

The impact of this would be small.  The only reason I left the "who" command
unrestricted was for subscribers to find out under what old email address
they may have subscribed so they could unsubscribe from it.  This was
important since some mail servers used around the Internet modify the email
address users use, or go through various mail exchangers --- resulting in a
different email used to subscribe users than what the users know.  To help
users unsubscribe, the idea was that they would issue the "who" command, get
a full listing of all subscribers, and search through it for their exact
email address.  This was more useful when the list was smaller, but now that
it is larger, the full listing is 80 kilobytes in size!

When I set up the B5JMS home page a while back, I included a search form for
users to look for their email addresses.  The form prompts the users for a
small substring that must be at least 3 letters long, and lists all email
addresses that contain this substring.  It is meant as a simple and faster
way to search for one's old email address to unsubscribe from.  Given that
it forces you to provide a substring that is at least 3 letters long, it
reduces the chances of mass spamming.

What I'd like to do is turn off the Majordomo "who" command and just leave
in place the B5JMS Home Page search engine for locating email addresses.
The only negative impact would be that users without WWW access who do not
know what email address they subscribed with would not be able to use the
"who" command to get a full subscribership listing.  I think it is a small
price to pay as compared to the risk of having the full list spammed.  Note
that even if I put this restriction in place, it won't completely eliminate
the chance of spamming; nothing would stop a sufficiently determined
spammer.  But it would make their life more difficult.

So, if you have any strong feeling for or against my suggestion, please let
me know.  Unless I get many objections to restricting the "who" command, I
will do so in a few days.

B5JMS Poster.
Maintainer, B5JMS and B5JMS-DIGEST lists.
Email: b5jms-owner at majordomo.cs.columbia.edu
WWW:   http://www.cs.columbia.edu/~ezk/b5jms/
-***
-*** B5JMS SUBSCRIBERS: Replies to messages go to the list maintainer,
-*** <b5jms-owner at cs.columbia.edu>.  If you want to reply elsewhere, adjust
-*** the "To" field.  See http://www.cs.columbia.edu/~ezk/b5jms/ for all
-*** other information about this list.



More information about the B5JMS mailing list