On Tue, 15 Jun 2004 15:26:00 -0400, James P. Howard, II wrote
I've toyed with keeping a whitelist of accepted PGP keys and only accepting email from users who provide a valid signature. Is this even someone reasonable?
I wouldn't think that'd be to difficult to put together. After I sent my message I thought "what else could Terry do if he was really desperate to implement a screen?" and came up with this (FWIW): (warning: lots of work and hardly worth the effort unless a whole lot of spoofing is going on) 1) go through all the list's archives and match information in the bottom-most Received: line to the subscriber's address. Keep all of this in a database (not the dist file). 2) when a post comes in check to see if the Received:-line information matches any of the stored values for that subscriber -- if so accept the message 3) if it doesn't match but the sender is in the subscriber list then send the message for moderator approval and add the Received:-line info to the database 4) if not approved -- dump the message to a spamfile It's still not going to be proof against a determined spoofer but should eliminate the casual spammers. Rich