Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] signing mails
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Fri, 5 Mar 2004 21:10:37 +0100
  • Message-id: <004801c402ed$ed1d94a0$52ef5b86@xxxxxxxxxxxxxxxxxx>
> > > Well, in fact the _most_ annoying thing are not the massmailings
itself,
> > but
> > > the repeated discussion that starts _everytime_ when _one_ such thing
> > touches
> > > the list. Sometimes I feel like on Groundhog Day...
> >
> > FULL ACK!!!
> > And in addition to that, I would state that those discussion cause more
> > than quadruple the traffic the worms do.
> >
>
> Perhaps that is because nothing is ever done. Virus/Spam gets post,
people
> whine, nothing happens, people stop. Rinse/Repeat.
>
> As far as I am aware, this is a security list. Security of the list
would, I
> believe, be covered as a valid discussion. I don't care much about the
> vagaries of SuSE's iptables wrapper, but it is discussed ceaselessly on
the
> list. I recognize that as valid. Why is our own discussion any less
valid? I
> am, at least, talking about something constructive. Whining about other
> people's posts is hypocritical at the very least.

There is no lack in security from such post, because the mailserver cuts
them of (or my mailserver filters them out). The problem is it consumes me
time to delete the posts and filter them from the more important ones. If
there are more spam-mails, than real mails on the list I loose interest,
because I want to read security related stuff and no /dev/tele-tubby texts
(no I not 68 and need aging pills ... or anything other).

> I rather like the idea of simply requiring a specific string somewhere in
the
> message to prevent spam. Would it be such a burden to end a subject line
with
> "#"? Does anyone know if there is a technical problem in checking for
such a
> subject before sending out to the list?

Any "FULL ACK!!!" or "That makes more traffic" posts don't _REALLY_ help
solving that issue. At our local admingroup's mailinglist we had simillar
problems with posts not belonging to the list. Now we got this under
control.

If this list makes a key-exchange-party and only mails were allows with the
right signature, there would be no spam here at all. If then somebody is on
the list spamming, he/she/it can easily be unsuscribed (small amount of
work).

Example with pgp signature:

-----BEGIN PGP SIGNATURE-----

YOUR KEY [...]

-----END PGP SIGNATURE-----

The next point is, the content of the list is presented on webpages, which
webspiders can easily grep. It's no problem getting this information with
e.g. google - there is much knowledge behind the posts - , but if malicious
third party fetch the E-Mail addresses of the users and do their
unprofessional business. So if we use a signed list this signatures should
not be posted there.

It is better, if we can find a zero spam solution and can come back to more
important threads.

Philippe


< Previous Next >