[Wine] Wine registration email - system failure

Martin Gregorie martin at gregorie.org
Tue Jul 19 14:56:45 CDT 2011


On Tue, 2011-07-19 at 13:25 -0500, Ace... wrote:
> hmmm!
> 
> okay martin...
> ... but can you suggest something,
>
Both. 

Some sort of spammer discouragement or a spam filter is needed on forum
posts. At first glance putting a spam filter between the forum and the
mailing list seems a good idea, but it ain't that easy because all
senders have an address of the form "forum-poster at forum.example.com", so
all you have to go on is phrases and URLs in the body of the post.

I have wondered if a more complex *and intentionally time-consuming*
sign-up procedure for the forum would help. This could be something
like:

- sign-up requires a valid e-mail address, as well as a handle and
  passphrase.
- the address + passphrase would be required to login to the forum
- the 'handle' would be all that appears on forum posts and as the 
  sender address in the linked mailing list
- sign-up involves the new user replying to a confirmatory e-mail
  sent to the login address, thus capturing a valid e-mail address
  for every user who completes sign-up
- wait a few hours before the confirmatory request e-mail is sent. 

All this may upset a few legit. posters but hopefully would positively
discourage spammers (both human and robotic) who are trying to maximise
their output rate and generally only have a short window for spamming
before the blacklists and Bayesian spam recognisers start rejecting
their rubbish.  

>  or, are you primarily alerting us to the fact that, 
>  for want of a better word, the wine email sys has been hacked, 
>  and has therefore, as an entity, gained a bad reputation?
> 
The volume of spam coming from the Codeweavers forum has grown a lot
recently while what little used to come from Nabble has now pretty much
vanished and I don't recall ever seeing much from the WineHQ forum. I'm
reading this to mean that Nabble has improved its game and that the
WineHQ forum has some sort of filtering or maybe a sign-up procedure
that discourages spammers, but that Codeweavers don't seem concerned
about being a spam conduit.

I'll make a better effort to track where winelist spam is coming from in
future. 

Currently, if I see messages that are obviously spam pushing a URL I
just snarl and add the URL to a private Spamassassin rule that fires on
Wine messages that contain listed URLs and/or product names accompanied
by sales terms.


Martin





More information about the wine-users mailing list