SEELANGS Administrivia - (was Re: [SEELANGS] You're Paying Too Much)

Alex Rudd AHRJJ at CUNYVM.CUNY.EDU
Mon Jun 3 22:20:35 UTC 2002 

On Sat, 1 Jun 2002 01:11:40 -0500 <someone> said:
>We will help you get the mortgage loan you want!
>
>Only takes 2 minutes to fill out our form.
<snip>

Dear SEELangers,

Several of you have written me off-list inquiring into how this
unsolicited commercial e-mail (UCE, a.k.a. "spam") message made
its way onto the SEELANGS list.  Apologies for not responding to
those people individually, but it's easier for me to send this
message to everyone.

SEELANGS is a restricted list, in that only subscribers may post.
However, apparently there's a caveat to that, which is that mail
originating from the LISTSERV address itself (that is, from
LISTSERV at LISTSERV.CUNY.EDU) is also recognized as valid, even if
that address is not subscribed.  Until today when this message was
brought to my attention, I didn't know that.  In any event, the
spammer who posted this message spoofed his e-mail address, such
that the message appeared to come from LISTSERV at LISTSERV.CUNY.EDU,
even though in reality it did not.

If you're curious, by the way, just from examining the message
header and doing a little on-line sleuthing, I was able to
determine that the spam message distributed on SEELANGS originated
in the Philippines, in all likelihood in a placed called Makati City.
Although I have two names associated with that point of origin, it
would be pointless to follow up further, as the Philippines have
rather weak laws in this area.

In any event, here's the bottom line at this point:

I have closed this particular loophole and no further spam will
be distributed on SEELANGS looking like it came from the LISTSERV
address.

*HOWEVER*, please be advised that as I currently have SEELANGS
configured we *could* see another spam message like this posted
to the list if the spammer successfully spoofs a subscriber's
e-mail address.  This is not likely to happen, but it is possible.

I could change the list's configuration right now to eliminate
the possibility altogether, but I'm choosing not to do that at
this time and here's why.  The way to close this loophole entirely
is to institute a confirmation system.  If you wanted to post a
message to SEELANGS, you'd submit the message normally to
SEELANGS at LISTSERV.CUNY.EDU.  Before distributing the message,
though, LISTSERV would first send you back an e-mail message
asking you to confirm that you did, in fact, submit the message.
If you did, you return the confirmation and the message is
distributed.  If you did not (i.e., some spammer is spoofing
your address), then you do not return the confirmation and the
message is never distributed on the list.

We may be forced to switch to that method at some point in the
future, but for right now I believe the risk (and potential
harm) is so low that it's just not worth the hassle of asking
people to jump through that extra hoop each time they want to
post.

By the way, as I really have very little free time these days
and am seldom able to keep up with list mail, I appreciate
being alerted to this problem by those of you who wrote directly.
As always, I can be reached at SEELANGS-Request at LISTSERV.CUNY.EDU
if something similar should happen in the future.  Please be
patient, though, as I may not see your message for a few days.

Regards,

- Alex, list owner of SEELANGS    seelangs-request at listserv.cuny.edu
....................................................................
Alex Rudd                ahrjj at cunyvm.cuny.edu            ARS KA2ZOO
{Standard Disclaimer}    http://home.attbi.com/~lists/seelangs/

-------------------------------------------------------------------------
 Use your web browser to search the archives, control your subscription
  options, and more.  Visit and bookmark the SEELANGS Web Interface at:
                  http://home.attbi.com/~lists/seelangs/
-------------------------------------------------------------------------

More information about the SEELANG mailing list