response 1 of 24:

Aug 4 18:04 UTC 2006

Is there a method of tracking how many emails are sent by each user?  

response 3 of 24:

Aug 4 21:39 UTC 2006

You could probably also inject some logic into exim's outbound mail processing
and set some sort of quota.  That seems hokey to me, though.  Some people are
just prolific writers; any artificial limit to stop spammers would probably be
limiting for at least some legitimate users.  Any limit that wouldn't penalize
legitimate users would be too porous to stop spammers.  So what to do, then?

I think that the technical solution is to create a whitelist of users who can
send outbound email.  The social part of the solution is to require users to
paypal a one-time donation to grex to set it up.  Set the limit low (say,
$1.00) and require paypal so that (a) the user in question is in some way
"verified" and (b) the whole process can be automated.  Further, require
positive acknowledgement of an acceptible use policy that explicitly prohibits
spam.  Then, in the event of abuse, you have some sort of financial entity
that it can be tracked back to.

This could all be encapsulated in some program that could be run from the
command line, thus minimizing the impact on grex's staff to keep the system
running once it's set up.  Ie, run:

% iwantmail
Grex email verifier, version 1.0

You are requesting access to offsite email on our server,
grex.cyperspace.org.  Please note, our acceptable use policy
specifically prohibits the use of our resources for the
distribution of unsolicited commercial email (UCE, more
commonly known as "spam").  Email access will only be granted
if you acknowledge that you have seen this message and understand
and are willing to comply with the acceptable use policy.

Have you read, do you understand, are are you willing to agree
to the terms of our acceptible use policy?
[yes/no]: 
Sorry, the only valid responses are "yes" or "no."
[yes/no]: yes

Your request has been recorded.  In order to verify your identity,
we require that you send US$1.00 to emailaccess@cyberspace.org refering
to token 45cd019023cda87f.  We will then email you when you're set up.

Thank you.
% whoami
jruser
% 
You have new mail.
% mail
>N  1 emailaccess@grex.cy  Fri Aug  4 17:25   13/445   Your grex email access.
& 1
From emailaccess@grex.cyberspace.org
To: jruser@cyberspace.org
Subject: Your grex email access.

[Token 45cd019023cda87f]

Hi jruser,

    We have received and verified receipt from PayPal that you
(or someone acting on your behalf) has verified your request for
access to grex's outbound email system.  Access has been granted
for your account.  If you have any problems, please send mail
to "help@cyberspace.org."  Thank you,

    The Grex Staff

& 
% mail whomever@wherever.com
...

As a rough example of what's possible and how I see it running.  In the
background, one would get an poll paypal once an hour or so to see if new
members have joined or verification payments have been received, and update
the database according.  I'm pretty sure PayPal has an API for doing such
querying; maybe via SOAP or WebServices or something.  For additional
security, run it on a satellite machine and update grex once an hour from
there (whatever happened to grpys?).  It wouldn't be much work to put
together a few Perl, Python, or Ruby scripts to do all of the above.  I may
even volunteer to work on such a project.

I don't think it would be beyond grex's nonprofit charter, either, as the
expenses could easily be justified as part of covering the cost of
verification of users, as part of due diligence for allowing access to an
abusable resource.

Does it *eliminate* the potential for abuse?  Not at all.  But it does
provide a pretty strong deterent (it'd probably be cheaper to create a
trillion hotmail accounts and spam from there) and it provides an audit
trail to follow back to a source if abuse *does* occur.  It's certainly
an improvement over the status quo.

response 5 of 24:

Aug 4 21:55 UTC 2006

   We have the whitelist already--accounts not in that list can't
send outbound mail.  I'll comment more when I'm not stuck with a
problem at work.  But we do need some kind of verification system
I think.

response 7 of 24:

Aug 5 00:54 UTC 2006

re #6
I agree with that idea.

response 9 of 24:

Aug 5 14:20 UTC 2006

speaking of email, i am not a newuser in the sense that i have just come to
grex, however, this userid is new and i would like it to have access to email
(outgoing) please. triluda!

response 11 of 24:

Aug 5 17:19 UTC 2006

no. and shut up.

response 13 of 24:

Aug 25 21:39 UTC 2006

unlucy

response 15 of 24:

Aug 26 00:12 UTC 2006

Okay, okay.  We get it, scholar.

response 17 of 24:

Aug 26 08:59 UTC 2006

My point is, you're not doing yourself any good by continuing to harp on it.

response 19 of 24:

Aug 28 19:26 UTC 2006

accousing someone of libel is so mundane.

I heard you got banned from tonsters IRC server too.

response 21 of 24:

Aug 29 00:25 UTC 2006

Chmod sendmail so that users can't invoke it directly, but let mail programs
run with an appropriate suid for the task.

Telnet to the SMTP port??? Why in the name of Bob would this be allowed?

response 23 of 24:

Aug 29 02:49 UTC 2006

just send your money to rex A roof