Tech Tip (LISTSERV) – Issue 2 – 2006
Q: How Can I Avoid Spam on My Discussion Lists?
Answer by Jacob Haller
Senior Customer Support Engineer, L-Soft
Many owners of discussion mailing lists have encountered the problem of unsolicited bulk email (spam) at one time or another.
This Tech Tip describes several options available to list owners for controlling spam and protecting the email addresses of their subscribers. These options include: how to keep spam from being distributed to a discussion list, how to prevent spammers from harvesting addresses from a mailing list, and how to keep your mailing list from being abused.
Keeping Spam Off Your Mailing List
LISTSERV has built-in spam detectors that are especially effective for LISTSERV sites running in NETWORKED or TABLELESS mode (i.e., communicating with the global LISTSERV backbone). LISTSERV site administrators can also invoke the SPAM_EXIT feature to use an external spam-detecting service like SpamAssassin to scan LISTSERV's incoming mail. Unfortunately, some savvy spammers are capable of evading these means of spam detection. As a result, it may be necessary to take additional steps to keep the spammers out.
Some of these steps may cause more work for the list owner, and/or make some things a little less convenient for your subscribers. It is your prerogative as the list owner to weigh the costs and benefits. This article will attempt to assist you in that process.
Note: With the exception of the CONTENT_FILTER, all of the options described involve modifications or additions to your mailing list header configuration. For additional information on any of these configuration options, consult Appendix B of the LISTSERV List Owner's Manual.
Setting a list to be "Confidential" prevents a mailing list from appearing in CataList, the official catalog of LISTSERV lists. It also removes the list from the output of the "LISTS" command (unless that command is issued by the list owner or site administrator). For sites running the LISTSERV web archive interface, confidential lists will not appear on the site's main list archive web page.
This option makes it more difficult for spammers to find out about a mailing list. Of course, it also makes it more difficult for legitimate subscribers to find it.
- Send= Public,Confirm,Non-Member
This option allows anyone, anywhere to post to the mailing list. However, if the message comes from an email address that is not already subscribed to the mailing list, then LISTSERV will respond with a request that the message be confirmed. Since most spam comes from forged email addresses, the spammer will never receive this confirmation message and will not be able to confirm the message. Therefore, it will never be distributed.
This is most effective when used with the "Subscription= Open,Confirm" setting, which requires confirmation of subscription requests. (Spammers have been known to attempt to subscribe to mailing lists before posting to them; requiring confirmation makes this more difficult to automate, especially since, as previously noted, they usually send spam from a forged email address.)
- Subscription= Open,Confirm (used in conjunction with Send= Private)
With this setting, spammers would have to send a subscription request and confirm that subscription request before they could send spam to your mailing list. In the past, this has not been easily automated so most spammers have not taken the trouble, but more recently, some automated scripts have managed to successfully subscribe to a "Subscription= Open,Confirm" mailing list. Therefore, while it will stop or slow down less sophisticated spammers, it is not a guarantee.
Another advantage of this setting is that it prevents people from being subscribed to your mailing list by a third party, without their knowledge or against their will. There have been many cases of individuals who have been maliciously subscribed to a large number of mailing lists without their consent. Requiring subscription confirmations prevents your mailing list from being abused in this way.
One disadvantage of the "Send= Private" setting is that people who subscribe under one address, but send mail to the list using another address, may have trouble posting because the second address will be rejected as a non-subscriber. Of course, the list owner can add the second address as a subscriber, and then set its subscription options to NoMail to avoid receipt of duplicative messages. However, this can become cumbersome if there are a large number of subscribers in this situation.
Another potential drawback to this setting is that some people may object to the slight increase in complexity of the subscription process.
- Default-Options= Review (used with any of the settings above)
When someone subscribes to your mailing list, this setting will ensure their subscription options are set to Review, resulting in any message they send to the mailing list being forwarded to the list owner (or editor, if defined by an "Editor=" keyword) for approval. Once the list owner has determined the subscriber is a useful contributor to the mailing list, a "SET listname NOREVIEW FOR email@address" command will allow the subscriber to post without the necessity of screening and pre-approval.
This is a very useful safeguard against someone subscribing to a mailing list and sending inappropriate messages (spam or otherwise). Obviously, it entails a bit of additional work on the list owner's part, and new subscribers may initially object to their messages being "moderated" in this fashion.
If you use this option, you may wish to change your list's welcome message (the message automatically sent to new subscribers when they join) so that it includes an explanation of the Review policy and the reasons for it.
- Send= Editor,Hold,Confirm
This setting results in a fully moderated mailing list; all messages go to the list editor for approval. This gives the editor total control over what goes out to the list subscribers.
Depending on the list's level of activity, this option potentially entails a lot of work for the list editor. And, some subscribers may object to their messages being moderated.
As before, if you decide on full moderation for your mailing list, then you may wish to change your welcome message to explain the policy and your reasons for it.
- Using the LISTSERV content filter (LISTSERV Classic and HPO only)
With LISTSERV Classic and HPO, the list owner has the option of utilizing LISTSERV's content filter to scan the headers and/or text of messages sent to the list, and to assign different automated actions based upon the message content. If used carefully, the content filter can serve as a very effective spam prevention tool for a discussion-style LISTSERV list. Content filtering is most effective when used in combination with the other methods described above. Unlike the methods already described, the content filter is not controlled by list configuration keywords. Rather, the content filter is enabled by editing the CONTENT_FILTER mail template. (This can be edited via email, but it is easier through the LISTSERV web interface. Consult the LISTSERV List Owner's Manual for more information on editing templates.)
One simple use of LISTSERV's content filter is to "password protect" list posting. For example, the list owner could edit the CONTENT_FILTER list template as follows:
With the setting above, list postings containing the string "XYZZY" somewhere in the message text are treated as regular list postings, and then they are evaluated per the usual "Send=" setting in the list configuration. Posts that do not contain "XYZZY" in the message body are sent to the list moderator for approval before distribution.
The advantage to the system described above is that it is unlikely that random spam email messages will contain the specified text string (assuming it is sufficiently obscure and is changed periodically). The disadvantage is that it requires training users to always include the specified text in their list postings to make sure their postings get through. Failing that, the additional moderation may place a greater burden on the list owner/moderator.
Of course, the content filter has more straightforward uses. On a discussion list about widgets and knick-knacks, the list owner could modify the CONTENT_FILTER template as follows:
With the above template, any list posting containing the words "widget" or "knick-knack" would be allowed through the usual "Send" evaluation process, while all other postings would be diverted to the list moderator for attention. This can be useful for moderating both spam and off-topic messages from subscribers. The list owner can make the content filter as elaborate as necessary. Of course, the more complex the filter, the less the subscribers may be able to understand why their messages are (or aren't) being sent directly to the list. Experimentation is encouraged to find the right CONTENT_FILTER template for your particular list.
The LISTSERV content filter is available on LISTSERV Classic and HPO only. It is not available in LISTSERV Lite.
Keeping Spammers from Mining Your Mailing List for Addresses
Spammers have been known to employ a variety of strategies to capture a portion or an entire list of subscriber addresses. One standard practice has been for spammers to subscribe to a mailing list, send a "REVIEW listname" command to collect subscriber addresses, and then unsubscribe after 'receiving the goods' of the command output.
LISTSERV includes features intended to prevent the spammer's ambitions. One such feature monitors attempts to subscribe a single email address to a very large number of mailing lists simultaneously. LISTSERV will interpret such an event as a likely abuse, and will then remove the subscriptions automatically. The LISTSERV site administrator may take additional steps to protect the site's mailing lists from abuse in this or similar fashion. However, the bulk of responsibility for the security of the mailing list rests squarely on the shoulders of the list owner.
Here are a few list configuration keywords that can prove invaluable in increasing the security of your mailing list. Please bear in mind that there are potential costs associated with each setting; security can often only be increased at some cost to convenience.
As noted earlier, this setting prevents the mailing list from appearing in CataList or in response to a "LISTS" command. For sites running the LISTSERV web archive interface, it also prevents the mailing list from appearing on the site's main archive web page. If net abusers don't know a mailing list exists, then they cannot try to abuse it. (Of course, legitimate subscribers may have a tougher time tracking down the mailing list, as well.)
This prevents anyone but the mailing list owners from sending a REVIEW command to get a list of the subscribers. This setting is recommended for most mailing lists.
The disadvantage to this setting is that if someone has a legitimate reason to want a list of the mailing list's subscribers, then they will not be able to obtain it themselves. Instead, they would have to ask the list owner for assistance.
A less secure alternative is "Review= Private", which allows mailing list subscribers to retrieve a list of the other subscribers, while denying such access to the general public. This is nearly always preferable to "Review=Public", which allows anyone on the Internet to view the list membership.
If you opt for a setting other than "Review= Owner", then you may wish to inform your subscribers that they can prevent their individual addresses from being listed in the output of the REVIEW command by issuing a "SET listname CONCEAL" command. (List owners can still get a full list of subscribers by using the "REVIEW listname ALL" command.)
Under this setting, any subscription requests go to the list owner, who must then manually add the potential subscriber to the mailing list. This allows the owner to reject or further investigate suspicious-looking subscription requests. This may help to prevent a spammer from signing up for a mailing list in order to capture the email addresses of people who post to it.
Note: A malicious individual may still sign up with a seemingly innocuous address and name.
For very active mailing lists with many subscription requests, "Subscription= By_Owner" is likely to create a great deal of additional labor for the list owner.
- Subscription= Open,Confirm
As noted earlier, with these settings, spammers would have to send a subscription request, and then confirm that subscription request before they are added as a list subscriber. This is not easy, but it is also not impossible. It may stop novice spammers, but it will only slow down the more experienced and sophisticated ones.
- Notebook= [. . .],Private (particularly in conjunction with Subscription= Open,Confirm)
For a list with archives of previous postings, this setting restricts archive access to subscribers only. The email addresses of people who post to the mailing list are available in the mailing list's archives, but are only visible to web visitors who are subscribed to the list and have authenticated themselves with their subscription email address and personal LISTSERV password.
This option makes it more difficult for a spammer to get access to the archives and addresses. This setting is particularly important for lists that have their archives available via the LISTSERV web interface, as many spammers use automated scripts to harvest email addresses from public web pages.
Note: "Notebook= [...],Owner" can also be used to restrict archive access to list owners only. However, in most cases, this defeats the purpose of having archives in the first places.
It may be desirable to include a disclaimer in your list's welcome message explaining appropriate use of your mailing list. This information may also be put in a top or bottom banner for list postings.
The LSTOWN-L mailing list is a discussion mailing list for people who run LISTSERV-based mailing lists. It is a good resource for all kinds of information, including the topics discussed above. If you wish to subscribe to LSTOWN-L, visit peach.ease.lsoft.com/archives/lstown-l.html.