Subj : Fidonet gating and spam
To   : Sean Rima
From : Michael Grant
Date : Sun Feb 17 2002 11:41 am

Hello Sean.

14 Feb 02 14:51, you wrote to me:

 MG>> While I sympathize with your plight, Sean, and feel that your ISP
 MG>> and those lists have over reacted to this incident, I feel the
 MG>> situation needs to be put into a little perspective.

 SR>  As the saying goes, at the time the "S**t hit the fan", there are
 SR> other issues that SuSE disclosed to me, including hacking attempts and
 SR> bounce attacks, although I am not sure what the latter is.

Not sure, but I've heard of spammers using another's e-mail address to hide the 
true source their message. Perhaps that sort of behavior can cause unexpected 
bounces.

 MG>> Fidonet is for the most part, a publically accessible network,
 MG>> and as such is vulnerable to spam no matter what technology we
 MG>> use. We are more and more these days an integral part of the
 MG>> Internet, rather than being a seperate entity. The vast majority
 MG>> of mail transferred in this network is now transferred over
 MG>> the internet.

 SR> Fidonet is publicy accessible and we have enjoyed a lot time of
 SR> freedom from the abuse of spam and god knowes what else. However,
 SR> there is a thing also called Moderator rules.

Which can only be reactive. Just as a message poster can go against the rules, 
and all the moderator can do is warn him or cut his feed /after/ the fact. 
Occurances of spam are no different in this regard.

It has been suggested that for certain echos, filters could be set up to catch 
spam messages. Nobogus could do such a thing for a sysop who is gating message 
areas, and so can Irex. However, one runs the risk when taking these proactive 
measures of filtering out legitimate messages that do not go against the 
message area's rules; and that in some instances can cause a participant to 
become frustrated and possibly drop out.

 MG>> Even if Fidonet could somehow come up with a network that can
 MG>> do the things for us that the internet can do, yet be seperate
 MG>> from the internet, we will still be vulnerable to spam from the
 MG>> users which we publically invite to post in the network. Even
 MG>> if we went back to strictly dial-up modem connections, we are
 MG>> still vulnerable to spam messages and viruses.

 SR> True, however, every single message that is gated here, whether by
 SR> Mailing List or Newsgroup is Virus Scanned and also Spam Checked. Any
 SR> virus content is moved to a seperate directory and me notified, spam
 SR> content is score based and anything over a certain figure is sent to
 SR> /dev/null. However, I trust Fidonet users and don't check outbound
 SR> messages.

If these lists were so sensitive to spam, then you probably shouldn't have. 
We've sort of become "spoiled" in the past because most of the dial-up BBS 
users were generally well-behaved. That's made us complacent, thinking that 
spam doesn't happen in Fidonet. We have to recognize that it has and will 
continue to happen, and it's something we're going to have to be aware of and 
deal with.

 MG>> Sure, Shannon Talley runs an NNTP server; but it's not a public
 MG>> NNTP server and isn't a free-for-all. Shannon requires
 MG>> registration and restrictions and acceptance of rules before
 MG>> anyone may post messages on his NNTP server. Such
 MG>> an administrative setup is in fact exactly the same as a
 MG>> publically accessible BBS, and I in fact view his system as a
 MG>> web-based BBS, and /not/ a public news server. If we are going to
 MG>> come down on a sysop just because he chooses to use an NNTP
 MG>> server for his BBS instead of a traditional BBS
 MG>> package accessible via dial-up or telnet, then in all fairness we
 MG>> have to come down on everyone else who has public access to
 MG>> Fidonet equally, because this just as surely could have happened
 MG>> from a telnet or dial-up BBS.

 SR> Okay, firstly, I will achknowledge that Shannon's NNTP server is not
 SR> open. I did a very simple test that is used by Open NNTP server
 SR> checkes. I telnetted to his server and got a 200 responce without any
 SR> immediate authenication check. Shannon has contacted me and corrected
 SR> me. However as Shannon and others have pointed out, this sad event has
 SR> proved a weakness in the software, in that a single message can be
 SR> crossposted unlimitedly whereas most ISPs restrict the number of
 SR> crossposts to 10, some even less.

And the same can be accomplished with QWK packets and offline message bases. 
There even are those determined enough to manually post spam in multiple 
message areas. We can make it more difficult, but we can't prevent it 
altogther.

 MG>> If your ISP is so strict on these issues, and those lists are
 MG>> so unforgiving, then probably you shouldn't have considered
 MG>> gating those lists to Fidonet in the first place. I feel though
 MG>> that they should be made to understand the nature of Fidonet as
 MG>> a publically accessible network that can only take reactive
 MG>> steps to such incidents, but the fact that the actions are
 MG>> reactive does not mean that steps will not be taken.

 SR> My ISP is a very small company who take spam very seriously. Don't
 SR> forget it looks bad for them as well. As I have said above,
 SR> Christopher at SUSE has tols me that they are suffering at the hands
 SR> of Spammers and bounce attacks (whatever they may be) and possibly
 SR> this was the straw that broke the camel's back.

 SR> I have been granted access for personal useage to the SuSE lists, I am
 SR> currently on a few, and I am working on methods to get access back to
 SR> Fidonet. These are all closed lists, ie you have to be subscribed to
 SR> post and therefore spam content is extremely low, in some, non
 SR> existant. ANd don't forget that a spam message sent to a mailing list
 SR> not hits one person but possibly 1,000's and judging by the number of
 SR> private emails I got, it is a massive list.

Well, then if you consider at all re-establishing the gate, I think you ought 
to look at setting up some sort of filtering program before posting Fidonet 
mail to the lists. You could use NoBogus to sidetrack everything and sift 
through it manually, but that would take a lot of your time; or you could set 
up automated filters with Irex or NoBogus, and run the risk of some legitimate 
Fido mail getting caught and not propogated. At least for the gate /into/ 
Fidonet, you would not need to have filters.

 SR> One of the reasons, I removed the LISTS. from the elist and
 SR> backbone is that it may take some time to sort things out. I
 SR> know from the SUSE list and also the MANDRAKE ones that they
 SR> have active fidonet posters and it is not, and I repeat not, my
 SR> intention to remove them for long, but there is always a
 SR> possibilty that it will take me longer to get things sorted so
 SR> that there is no possibilty of any off topic postings
 SR> to go out to the lists. I was also considering before hand about
 SR> rmoving the LINUX-KERNEL echo as that is very high volume and I had
 SR> seen no active fidonet content, even removing it from the backbones, I
 SR> would still have made it available via email pkt feeds.

Private echo distribution could work as well, or a sysop-only restriction. 
Another way it could be done is to make the echo read-only, and regularly post 
a message stating where an interested person may ask permission to post; 
perhaps for example, with your e-mail and netmail address as contact 
information.


--- GoldED/386 3.0.1-dam3
 * Origin: MikE'S MaDHousE: WelComE To ThE AsYluM! (1:134/11)

.