bbs.spamgourmet.com

[zooloo]

Hi Josh & SysKoll,


I've got a - well, question.

Some of my sg addresses I use for rather active mailing lists. Generally, that's fine, since thereby, I get messages only when actually being involved in a discussion there. For the case of missing a later answer, I can always have a look at the web archive. However, there is a slight inconvenience with posting.

Messages sent by the sg user certainly are not intended to get eaten, so it seems ok to let them pass through regardless of any counter. I guess, be it to mailing lists, to single persons or to whomever, one rarely writes an email without being interested in at least some answers, though.

Currently in such case, one has to additionally make sure an appropriate counter state at the web site, which means, look up sg in the bookmarks, open the page, log in, find the particular address, reset its counter ... you know what I mean?

What do you guys think about resetting the corresponding counter to the default value whenever an email is being sent from (i. e. via) an sg address?

Iirc, this would also go along with a wish some have posted in the past - they'd like to reset their counters on a by email basis.


Cheers,

zooloo

[funchords]

Messages sent by the sg user certainly are not intended to get eaten, so it seems ok to let them pass through regardless of any counter.

I used to get spam from ~myaddress~ to ~whateveraddress~.

A lot of spam software has the option to never whitelist certain addresses, with the recommendation that you never whitelist your own address (e.g. spampal).

I also think this would break the sg model and would (if I had a vote) vote no. You can always add your address as a Trusted Sender.

[zooloo]

I wouldn't worry much about that, since exploiting it would require an attacker to

1. spoof the mail to appear as being sent from my (real) address, and
2. get to know the exact sg forwarding code from my real address to my real address.

Both surely is feasible, but rather unlikely to be done by a spammer.


zooloo

[zooloo]

Ouch, I've just found out that sg forwarding can be used from ANY address, as opposed to from my registered one only?!



That I didn't know.


It also explains why a reply by someaddress to messages of mine in a mailing list occasionally appears as being sent from my sg address rather than from someaddress:

Say, I post a message to somelist in response to a former contribution of someaddress. In the "To" field, I enter the sg forwarding address to someaddress, and in the "Cc" field, the sg coded forwarder to somelist.

someaddress consequently uses the (unfortunately unmasked *) sg forwarder as provided by me in the "Cc" field as destination to reply to - don't ask why. This reply then shows up at the list with my sg address instead of someaddress as sender. Of course, this can be confusing ...



zooloo


----
(*) see http://www.spamgourmet.com/bbs/viewtopic.php?t=684

[josh]

That is a little confusing -- could the problem be summed up easily in a sentence or two?

[zooloo]

Sorry about the inconvenience (you might forgive me - English is not my mother tongue).

What I'm trying to explain is basically the issue described in http://www.spamgourmet.com/bbs/viewtopi ... =3324#3324, when applied to a mailing list. It's not very appropriate to appear as author of 8 subsequent posts to one and the same thread, whilst in fact only one or two of them are written by me. Some contributions of my conversion partners show up like spoofed.

Both the topic of this thread and the unmasking question aside, wouldn't it be better to abandon all mails to an sg forwarder which don't come from the corresponding sg account's address? Once a forwarder has become puplic, it can be used arbitrarily by anyone right now.


zooloo


p.s.: By "forwarder" I am referring to an address like +retired+spamcowboy+0123456789.list#hil ... ourmet.com

[josh]

I see. The issue with locking that down is that many spamgourmet users have a different return address in their mailer from the one that's listed as the protected address, and I can't think of another good way to verify the sender. It's really no different from any other situation where you can fake the sender, though, right?

[zooloo]

Ah, I didn't know that. And yes, technically there's not much of a difference. However, unlike other means to fake a sender I know of, sg forwarders happen to be "abused" very easily, even unintentionally by harmless people (see the mailing list example).

I've been puzzling over it for a while now, and I think that adding exclusive home addresses might be a good way to solve the problem.

These exclusive home addresses (I'm sure there's a better term) should work similarly to "exclusive senders", but for (all) forwarders rather than for a (single) disposable address. That is, if no address is specified there, still everyone could use the forwarders belonging to that sg account as desired, but if one or more are specified, sg would eat such messages unless they are sent from one of the exclusive home addresses.


What do you think about this?


zooloo