|
|
| Author |
Message |
| 25 new of 149 responses total. |
keesan
|
|
response 2 of 149:
| 
Jan 2 16:44 UTC 2006 |
What size throttle? Is there any need for grexers to send more than 50 copies
of the same mail at once?
|
aruba
|
|
response 3 of 149:
|
Jan 2 18:12 UTC 2006 |
I liked the idea of implementing an ascii CAPTCHA test in newuser, to keep
spammers from creating accounts automatically. That would at least slow
them down, I think.
|
krj
|
|
response 4 of 149:
|
Jan 2 18:28 UTC 2006 |
I would like to suggest a more radical approach,
to bring Grex's email service to a graceful end.
Email is not a core part of Grex's mission, it's just something
that happened along the way. And free e-mail is available from an
awful lot of providers now. There are lots of ideas for programming
and configuration changes which could allow Grex to continue providing
email service, but all of these require staff time resources; the
last year or so has pretty well demonstrated that Grex doesn't have
staff time resources for that sort of development.
(I use Grex as my principal non-work e-mail address.)
|
nharmon
|
|
response 5 of 149:
|
Jan 2 19:54 UTC 2006 |
I think it is important for Grex, as an organization, to be a good
netizen. And having spam come from us is a perfect way to spoil our
reputation. I'm with Ken, I do not think providing e-mail is an
efficient use of staff resources.
When m-net turned off their e-mail, we laughed. Now we're beginning to
see the wisdom of that decision.
|
keesan
|
|
response 6 of 149:
|
Jan 2 22:06 UTC 2006 |
I email other grexers from within grex and would really really hate to be
forced to use webmail to do it. Sometimes I am trying to teach them to use
'talk', and it helps to write emails about this. I prefer dealing with the
spammers some other way than punishing the rest of us.
|
naftee
|
|
response 7 of 149:
|
Jan 3 01:24 UTC 2006 |
resp:1 looks like poetry
|
chimda25
|
|
response 8 of 149:
|
Jan 3 03:22 UTC 2006 |
hic hic hello
|
sholmes
|
|
response 9 of 149:
|
Jan 3 03:51 UTC 2006 |
Guess only to/from grex mail can be allowed !
|
bhoward
|
|
response 10 of 149:
|
Jan 3 04:48 UTC 2006 |
Hmm. How about for 48 hours, you are limited to local mail. After 48
hours, you gain the right to run a program which asks you to type in an
ascii CAPTCHA, which if answered correctly places you into a group that
is allowed full email privileges?
Implementing this should be relatively easy.
|
steve
|
|
response 11 of 149:
|
Jan 3 04:55 UTC 2006 |
I'm not in favor of removing mail from Grex if we can help it,
as mail is still the best communications system there is. If we
can't control the spammers however, we may have to stop it. That
would be really horrid though.
In terms of a throttle on the number of emails, I'm not sure.
I know most people send less than 20 emails a day, judging from
a time when I went over the logs of several days. We should be
able to change that throttle as needed.
|
cross
|
|
response 12 of 149:
|
Jan 3 05:09 UTC 2006 |
I'd favor having the ASCII CAPTCHA in newuser itself. I've been toying
with the idea of a newuser rewrite in either Perl or Python....
|
aruba
|
|
response 13 of 149:
|
Jan 3 06:02 UTC 2006 |
Bruce's description in #10 sounds good to me.
|
keesan
|
|
response 14 of 149:
|
Jan 3 14:02 UTC 2006 |
What is a CAPTCHA?
|
jep
|
|
response 15 of 149:
|
Jan 3 15:07 UTC 2006 |
Some sites use a graphic image of a sequence of letters and/or
numbers. They're somewhat difficult to read, intentionally so, in
order to be very hard for a program to read. You have to identify the
sequence of characters and then type them in, which authenticates you
as a human being. Other free e-mail systems use them to prevent
comptuers systems from automatically creating e-mail accounts to use
for spam.
Someone (bhoward?) had the idea of using ASCII art -- for example,
figlet fonts -- on Grex in the same way. Computers would have a hard
time identifying such characters, so only human beings would be able to
run newuser to create an outbound e-mail account.
Does that explain the concept, Sindi?
|
keesan
|
|
response 16 of 149:
|
Jan 3 16:09 UTC 2006 |
So how will that stop or even slow down a spammer who already knows about grex
and has a graphical browser?
|
mcnally
|
|
response 17 of 149:
|
Jan 3 16:11 UTC 2006 |
It will make it very difficult for them to automate their procedure for
creating multiple accounts.
|
cross
|
|
response 18 of 149:
|
Jan 3 17:02 UTC 2006 |
(At which point they'd probably give up and go somewhere else that's easier.)
|
tod
|
|
response 19 of 149:
|
Jan 3 18:11 UTC 2006 |
How about a throttle on outbound mail which limits users to 5 per day?
|
keesan
|
|
response 20 of 149:
|
Jan 3 19:56 UTC 2006 |
Why does a spammer need multiple accounts if we don't have any limit on number
of outgoing mails per day?
Five per day is too low for normal users. I get about 10 a day here and
answer them all. Make it 25 at least.
|
tod
|
|
response 21 of 149:
|
Jan 3 22:45 UTC 2006 |
Its just an arbitrary number but does the idea of a cap on number per day seem
reasonable?
|
cross
|
|
response 22 of 149:
|
Jan 4 01:54 UTC 2006 |
I wonder how to implement it. You'd have to maintain some sort of hash and
`expire' data from it every day. That would be easy to implement, but I've
found that things like that tend to be fragile: I like to minimize moving
parts, if I can. That's why I'd prefer something that just relied on groups
or something like that.
|
ric
|
|
response 23 of 149:
|
Jan 4 14:34 UTC 2006 |
It's very difficult to control email on a system in which users can pipe
things to sendmail. We're not talking about joe schmoe using elm to send
50,000 emails. Presumably, direct queue injection via the sendmail binary
- or possibly SMTP from localhost via a perl script.
<ric goes to test something>
|
ric
|
|
response 24 of 149:
|
Jan 4 14:39 UTC 2006 |
Grex does accept SMTP from localhost... I presume there are mail clients
(PINE?) that use SMTP rather than direct queue injection via sendmail...
|
cross
|
|
response 25 of 149:
|
Jan 4 15:17 UTC 2006 |
You can control access to the SMTP port on the localhost interface using
PF. Access to the sendmail binary can be controlled via group membership,
as I outlined in some post somewhere.
|
bhoward
|
|
response 26 of 149:
|
Jan 4 15:20 UTC 2006 |
Re#20 Right now, they don't need multiple accounts but from the
debris left behind in their acccounts, it appears they are splitting
their target lists into smaller sets and setting each account to
work on a different subset.
I don't recall offhand if each account was pumping out the same
message so it is possible, they were using a different account to
send different messages.
Re#22 Perhaps the simplest way is to have exim maintain a hash
table. Each time a mail is sent, you hash on the senders login,
retrieve a record containing a message count and a date stamp. If
the time stamp is <= 24 hours old, just increment the message count
for the sender and refuse to accept the message for processing. If
the time stamp is more than 24 hours old, the message count is reset
to 1 and the date stamp is set to the current time.
Today is the first day I've had a real chance to dig into how exim
works and may be extended so I lack the vocabulary to describe this
using proper exim terms. However, it appears there are a few
different mechanisms one could use.
|