In message <[EMAIL PROTECTED]>,
Jeremy Blackman <[EMAIL PROTECTED]> wrote:
>On Thu, 18 Nov 1999, Ronald F. Guilmette wrote:
>
>> As one possible solution to this problem, the idea of building and main-
>> taining a registry of ``legitimate opt-in'' mailing lists does in fact
>> have some merit, but as noted above, it also has some problems.
>>
>> I think that the scaling problems could in fact be solved, but that would
>> take some serious work. As regards to the building and maintaining of the
>> registry, I myself would be happy to build and maintain exactly such a
>> registry, and to make it available (as a service) to all Internet sites,
>> but the main reason why neither I nor anyone else has ever tried to create
>> such a registry is because of the likelihood that list owners simply would
>> not cooperate in sufficient numbers to make the whole thing work.
>
>The 'meta-list' group that got mentioned on here some while back has
>created such a registry; take a look at www.meta-list.com. Admittedly,
>it's geared more towards end-users finding a list...
Exactly.
There are a number of different sites on the net now that have, by hook or
by crook, amassed big huge lists of mailing lists, including the one you
mentioned, another German one that was mentioned here recently, eGroups,
and others. The problems involved in getting _any_ of these sites to
help out or participate in the creation of a net-wide central registry
of mailing lists is twofold: (1) Every one of these sites has .com on
the end of its domain name, clearly implying that they are NOT going to
be in the least bit sanguine about giving away the data they they have
worked so hard to amass (for commercial purposes), and (2) it isn't at
all clear, to me at least, what if any quality control has been applied
to the data they have amassed anyway. Are all of the lists these places
know about really ``legitimate'' opt-in (non-spam) mailing lists? I
suspect not, and I suspect that these places never really cared... as
they were creating there lists of lists... how exactly the lists they
were cataloging are operated in practice.
>... but my point is that
>there are other methods of discovering mailing list information...
Other than by obtaining cooperation from the list owners you mean?
Yes, you can automatically probe around (an activity that I happen to
have some familiarity with :-) but experience indicates that doing that
is likely to earn you a lot of ill will, and even loss of connectivity
(at least to certain networks) that you would otherwise like to obtain
information from/about.
>I don't happen to -agree- with the mass harvesting they did...
There. See what I mean?
> but all they did was
>probe at specific addresses (majordomo@<site>, listserv@<site>,
>listar@<site>), sending the appropriate command for the listserver type
>they were probing to get a list of lists on that site, which was then
>parsed.
As I say, approaching the problem is this manner will generate a lot of
ill will, but more importantly, it will yield results which are rather
spectacularly less than comprehensive. The reason is simple... an awful
lot of mailing lists out there are _not_ implemented via majordomo, listserv,
listproc, etc. Many, in fact, are just humongously long /etc/aliases entries.
So just probing for majordomo lists, listproc lists, listserv lists, etc.,
is going to yield a far from comprehensive list.
Bottom line is that in order to construct a _comprehensive_ registry of
mailing lists, you really do need cooperation from list owners... and
that isn't easy to come by.
>As for a registry of mailing lists of the type you describe, I think that
>some very serious thought would need to be made on HOW it would be
>implemented. I keep thinking that the -best- method would never be
>accepted, because it would require cooperation between listserver authors
>such as myself, the registry authors/maintainers, and the MTA authors...
There's that word again... cooperation.
I would argue that you DON'T actually need any cooperation from the MTA
authors/vendors, but that is only a minor quibble. The bottom line is
that you still _do_ need cooperation from a lot of people who aren't
terribly motivated to cooperate.
>but this method would be that each list would be assigned a unique
>identifier, almost like a PGP fingerprint.
>
>The posts from the list would be required to contain this fingerprint on
>something like X-MLReg-Auth: in the RFC822 headers, as well as the
>X-List-Id: header described in the proposed changes to RFC2369.
That is easy enough to implemnent. All you need is to pay the appropriate
license fees to RSA Data (or else use some unencumbered and exportable
public key crypto stuff) and then arrange for the mailing list software
to sign each outgoing message using its private key. (On the receiving
end, post-MTA filters could check the signatures.)
>Then an MTA such as AOL could query the listserver registry (using the
>X-List-Id) and see if the auth code matched.
Right.
>Now, I know that the problem
>is that spammers would become creative and do a query to get the auth code...
No. Nothing that complicated.
They would merely endeavor to get their own (abusive opt-out) mailing lists
listed in the registry as if there were non-abusive opt-in lists. Why try
to pick the lock on the rear window when you can just wear a mask and then
just walk in through the front door?
This is the REAL problem with the whole idea of a central registry... or
_any_ registry... of ``legitimate out-in mailing lists''. How can you
know, unambiguously, who are the Good Guys and who are the Bad Guys?
How can _anybody_ know?
Say I'm running a big free-to-everyone-on-the-net mailing list registry
that is intended to ONLY list non-spam mailing lists. Now someone I've
never heard of before sends me an E-mail and says he's just started a new
list to discuss Tasmanian Devils and will I please include him in the
registry. OK. So I add his list name and the associated public key to
the registry and wham! Ten minutes later he's spamming the hell out of
the entire planet. And no filters will stop him because he's not even
pretending to be anybody else. He's just being who he is, but *I* have
seriously misjudged his character.
This is yet another problem that I don't know how to solve (in addition to
the problem of getting list owners to cooperate with the building of a
central registry of all mailing lists). But I don't feel too bad about
the fact that I don't know how to solve this (character judging) part of
the problem. Apparently, AOL doesn't have a reliable solution for this
part of the problem either (which explains why they occasionally mess up
and treat Good Guys as if they were Bad Guys).
