At 8:07 AM -0700 5/5/2000, Roger B.A. Klorese wrote:
Follow Chuq's earlier points in this space. It is his experience that
confirmation, even easy methods, are confusing to most new netters, and
they simply up and leave. For him, that's a much more severe problem than
the occasional attack. For me right now, I use confirmation, but I also
know that 25% or more of my potential subscribers give up either when they
can't get confirmation right the first time or when asked for it at all.
It's a web world -- people expect to click once and get what they're
looking for, not a body cavity search.
It depends on the list. It depends on the audience. And it depends on
lots of other factors.
I'm all for mailback validation where it makes sense. Unfortunately,
some folks seem to think it's a panacea, and that by definition, it's
the only possible solution. that's an overly simplistic view of life.
The busier the list, the more mailback validation makes sense.
Getting stuffed onto a twice-a-month list is a lot different than
getting stuffed on sf-lovers. One is an inconvenience, the other can
drown you before you know what happened. the busier the list, the
more you have to protect people from it.
And FWIW, turning off mailback validation does not imply you leave
your list open.
My lists that don't mailback validate do other things to limit the
chances of someone getting slammed. for instance, I don't have an
email access point for subscriptions, so the standard "slam
subscribe" tools out there are useless. I can't be part of an
automated attack. All subscriptions come through a web site (or in my
case, one of four web sites, three of which I don't have direct
control over, which complicates things. And that's an issue Murr
doesn't seem to catch -- not all of these issues are things where you
have final say on the matter)
The subscribe CGI should be protected from automated slam subscribes.
How I'm doing this I won't say offhand, but email me privately if you
want more details.
If you do these things, you limit slams to those where a user
physically goes into the web site and types in an email address.
Those still happen -- but the number is tiny.
The next level of defense is the welcome message. Every subscription
gets one, and the welcome message includes multiple ways of
unsubscribing, including a pre-encoded URL that takes you to the
unsub page with the email address pre-loaded. It's literally a
two-click operation. (it doesn't solve the problem of the person who
won't read the mail, but.... ). Effectively, there IS a mailback
validation here; it's opt-out instead of opt-in.
The next level of defense is that if you do this, you need to make
sure you have administrative resources to answer and handle mail. the
postmaster has to be available and responsive -- problems happen,
they can't fester.
Finally, the system is set up to allow my to blackhole problem
addresses and domains. If someone reports they're being repeatedly
subscribed, they can be (and are) blackholed.
Not having mailback validation doesn't imply no protection. And to
put it bluntly, I see a much higher incident of problems on my
"normal" listservs through info/subscribe bombs than I do through my
big system. The big system was designed to avoid the automated bomber
tools, and that in itself solves 99% of the problems.
There is no one true way of doing email systems. Those who think so
need to widen their horizons. Life is complicated, email is
exceptionally complicated, and simplistic "this is the only way
things can work" responses are, oh, non-constructive. There are many
different ways email is being used, with different audiences, and you
need to target your solutions to your needs and audience.
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui @
Apple Mail List Gnome (mailto:chuq @
And they sit at the bar and put bread in my jar
and say 'Man, what are you doing here?'"