|
|
| Author |
Message |
bhoward
|
|
Access to Email on Grex
| 
Jan 2 09:15 UTC 2006 |
We allow anyone who gets an account to have instant access to email.
I personally prefer that grex continue providing open access to
email but I am worried that we have made the barriers too low for
would-be spammers and vandals.
Their continued misbehavior is ruining the value of email for
legitimate users by getting the system repeatedly listed in various
spam databases and unfortunately, is consuming an inordinate amount
of staff time that could be better spent on other system problems.
The purpose of this item is to discuss whether to raise the barrier
for access to email and possible ways of implementing such barriers,
be they social or technical.
|
| 149 responses total. |
steve
|
|
response 1 of 149:
|
Jan 2 11:14 UTC 2006 |
No social system is going to work with spam weasels, sadly.
We're going to have to come up with a decent way to throttle
exim from handling 100+ emails at once from someone, or make
email only available to some kind of 'verified' user.
One of the reasons I haven't been participating in coop
for the last several weeks is that just about all my time
spent on Grex lately has been watching for spammers, and
cleaning up after them. I have removed more than 150,000
emails from the queue because of these idiots.
The net really isn't what it once was, and Grex needs
to adjust itself to these realities. I note that M-Net
has gone through much the same problem, and they elected
to shut off outbound mail.
We have to figure something out. I'm hoping that a
throttle system will work, and/or a spam filter system
that can apply to outbound mail as well.
|
keesan
|
|
response 2 of 149:
|
Jan 2 16:44 UTC 2006 |
What size throttle? Is there any need for grexers to send more than 50 copies
of the same mail at once?
|
aruba
|
|
response 3 of 149:
|
Jan 2 18:12 UTC 2006 |
I liked the idea of implementing an ascii CAPTCHA test in newuser, to keep
spammers from creating accounts automatically. That would at least slow
them down, I think.
|
krj
|
|
response 4 of 149:
|
Jan 2 18:28 UTC 2006 |
I would like to suggest a more radical approach,
to bring Grex's email service to a graceful end.
Email is not a core part of Grex's mission, it's just something
that happened along the way. And free e-mail is available from an
awful lot of providers now. There are lots of ideas for programming
and configuration changes which could allow Grex to continue providing
email service, but all of these require staff time resources; the
last year or so has pretty well demonstrated that Grex doesn't have
staff time resources for that sort of development.
(I use Grex as my principal non-work e-mail address.)
|
nharmon
|
|
response 5 of 149:
|
Jan 2 19:54 UTC 2006 |
I think it is important for Grex, as an organization, to be a good
netizen. And having spam come from us is a perfect way to spoil our
reputation. I'm with Ken, I do not think providing e-mail is an
efficient use of staff resources.
When m-net turned off their e-mail, we laughed. Now we're beginning to
see the wisdom of that decision.
|
keesan
|
|
response 6 of 149:
|
Jan 2 22:06 UTC 2006 |
I email other grexers from within grex and would really really hate to be
forced to use webmail to do it. Sometimes I am trying to teach them to use
'talk', and it helps to write emails about this. I prefer dealing with the
spammers some other way than punishing the rest of us.
|
naftee
|
|
response 7 of 149:
|
Jan 3 01:24 UTC 2006 |
resp:1 looks like poetry
|
chimda25
|
|
response 8 of 149:
|
Jan 3 03:22 UTC 2006 |
hic hic hello
|
sholmes
|
|
response 9 of 149:
|
Jan 3 03:51 UTC 2006 |
Guess only to/from grex mail can be allowed !
|
bhoward
|
|
response 10 of 149:
|
Jan 3 04:48 UTC 2006 |
Hmm. How about for 48 hours, you are limited to local mail. After 48
hours, you gain the right to run a program which asks you to type in an
ascii CAPTCHA, which if answered correctly places you into a group that
is allowed full email privileges?
Implementing this should be relatively easy.
|
steve
|
|
response 11 of 149:
|
Jan 3 04:55 UTC 2006 |
I'm not in favor of removing mail from Grex if we can help it,
as mail is still the best communications system there is. If we
can't control the spammers however, we may have to stop it. That
would be really horrid though.
In terms of a throttle on the number of emails, I'm not sure.
I know most people send less than 20 emails a day, judging from
a time when I went over the logs of several days. We should be
able to change that throttle as needed.
|
cross
|
|
response 12 of 149:
|
Jan 3 05:09 UTC 2006 |
I'd favor having the ASCII CAPTCHA in newuser itself. I've been toying
with the idea of a newuser rewrite in either Perl or Python....
|
aruba
|
|
response 13 of 149:
|
Jan 3 06:02 UTC 2006 |
Bruce's description in #10 sounds good to me.
|
keesan
|
|
response 14 of 149:
|
Jan 3 14:02 UTC 2006 |
What is a CAPTCHA?
|
jep
|
|
response 15 of 149:
|
Jan 3 15:07 UTC 2006 |
Some sites use a graphic image of a sequence of letters and/or
numbers. They're somewhat difficult to read, intentionally so, in
order to be very hard for a program to read. You have to identify the
sequence of characters and then type them in, which authenticates you
as a human being. Other free e-mail systems use them to prevent
comptuers systems from automatically creating e-mail accounts to use
for spam.
Someone (bhoward?) had the idea of using ASCII art -- for example,
figlet fonts -- on Grex in the same way. Computers would have a hard
time identifying such characters, so only human beings would be able to
run newuser to create an outbound e-mail account.
Does that explain the concept, Sindi?
|
keesan
|
|
response 16 of 149:
|
Jan 3 16:09 UTC 2006 |
So how will that stop or even slow down a spammer who already knows about grex
and has a graphical browser?
|
mcnally
|
|
response 17 of 149:
|
Jan 3 16:11 UTC 2006 |
It will make it very difficult for them to automate their procedure for
creating multiple accounts.
|
cross
|
|
response 18 of 149:
|
Jan 3 17:02 UTC 2006 |
(At which point they'd probably give up and go somewhere else that's easier.)
|
tod
|
|
response 19 of 149:
|
Jan 3 18:11 UTC 2006 |
How about a throttle on outbound mail which limits users to 5 per day?
|
keesan
|
|
response 20 of 149:
|
Jan 3 19:56 UTC 2006 |
Why does a spammer need multiple accounts if we don't have any limit on number
of outgoing mails per day?
Five per day is too low for normal users. I get about 10 a day here and
answer them all. Make it 25 at least.
|
tod
|
|
response 21 of 149:
|
Jan 3 22:45 UTC 2006 |
Its just an arbitrary number but does the idea of a cap on number per day seem
reasonable?
|
cross
|
|
response 22 of 149:
|
Jan 4 01:54 UTC 2006 |
I wonder how to implement it. You'd have to maintain some sort of hash and
`expire' data from it every day. That would be easy to implement, but I've
found that things like that tend to be fragile: I like to minimize moving
parts, if I can. That's why I'd prefer something that just relied on groups
or something like that.
|
ric
|
|
response 23 of 149:
|
Jan 4 14:34 UTC 2006 |
It's very difficult to control email on a system in which users can pipe
things to sendmail. We're not talking about joe schmoe using elm to send
50,000 emails. Presumably, direct queue injection via the sendmail binary
- or possibly SMTP from localhost via a perl script.
<ric goes to test something>
|
ric
|
|
response 24 of 149:
|
Jan 4 14:39 UTC 2006 |
Grex does accept SMTP from localhost... I presume there are mail clients
(PINE?) that use SMTP rather than direct queue injection via sendmail...
|