On Tue, 2005-05-31 at 09:59 -0400, Joseph Brennan wrote: > > --On Tuesday, May 31, 2005 11:47 AM +0200 Marco Colombo <[EMAIL PROTECTED]> > wrote: > > > Server-side global content-based filtering is silly, unless of course > > it's your (private) server. Users are expected to do their own > > filtering, otherwise they're exposed anyway. Server-side filtering (on > > public servers) is just false sense of security. > > I strongly disagree. Users just want spam to go away. They do not want > to configure filters. They're not very good at it either: they usually > just add the sender address to a blacklist, and that does almost nothing > for them. It's not a security issue. It's annoyance reduction.
Configure? Manual blacklisting? What are you referring to? I've being using both Evolution and Thunderbird, and both filter SPAM (and thus most viruses of course) like a charm, and I've configured nothing. All I have to do is to hit 'Junk' instead of 'Delete' (like I used do to before having any filter) on spam. Once in a while, I quickly look at the Junk folder, and very rarely recover a false positive. No configuration needed at all. Anyway it seems we have a different meaning for 'users'. If you mean employees of a company, well for sure they'll get filters on their (company) server. If you mean customers of an ISP, they may get filtering as well (but I'd prefer marking, or storing to a special folder, instead of silently dropping). My point being: the purpose of the mailing list software is not to provide a safe email service to 'customers' or 'employees'. That's someone else's job. The software might place restrictions (on message size, attachments, and so on) but it's only to enforce _list_ policies, not end-user security (or comfort). For example, a list with 100,000 subscribers may sensibly avoid forwarding 10MB in a single message. But that's another matter. > If this list could possibly restrict posting to subscribers that > would go a long way. That is pretty routine for lists. And pretty useless. Address forging can be easily automated. More than 1/2 of the spam I see on our servers already forges the sender domain. A nice fraction of it learned how to forge our staff's address already, so I got some forged messeges telling me that _I_ have locked my own account down, for example. As for it being 'routine', I'm currently subscribed to about 20 lists, and only 2 of them are subscribers-only. Not surprisingly, both have nothing to do with e-mail software. IMHO, any list that aims at random users (info, bug reports, and so on), should minimize the annoyance of posting a single message. It may be different for -devel or SIGs lists, tho. .TM. -- ____/ ____/ / / / / Marco Colombo ___/ ___ / / Technical Manager / / / ESI s.r.l. _____/ _____/ _/ [EMAIL PROTECTED] --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html