Dear List Members,
We hope you will recommend membership in the Cleveland Park Listserv to anyone you know who has any kind of connection to Cleveland Park – even if it’s just “I like those turrets on some of the old houses” – and it's also fine to have any kind of connection to any of the other neighborhoods of this ward. We’ve always wanted the CP Listserv to be as big and as inclusive as possible, and so we’ve never put up any hurdles to membership. It’s free, and anyone can sign up – no matter where they live – and they don’t need to give a reason for joining.
Of course, all internet forums in this age of hackers, spammers, and trolls, need protection from bad actors, and we thought we had all the protection we needed by setting up the listserv so that all messages are screened before posting. Since our membership list is private, inaccessible even to other members, we didn’t see the need to screen people when they joined.
Well, that was then, this is now -- and now we’ve learned that Groups.io has been the object of a malware attack. It’s actually been going on for a few months. Someone – or possibly some group of hackers – has written a program that invents fake email addresses and signs them up to all kinds of groups at Groups.io – but always groups with unrestricted membership policies. Like the Cleveland Park Listserv. Like many others, as well. Once these fake email addresses are members, they receive our messages and then pass those messages along to randomly chosen non-members all around the country. At first, the non-members who were getting our messages were all AOL account holders. But lately the problem has ramped up a bit, and now we’re hearing from Yahoo account holders, too, who complain that someone is sending them CP Listserv messages that they never signed up for.
In the beginning this was just an occasional thing. Perhaps once or twice a week, we’d hear from someone who received a few of our messages without signing up. We’d ask the person to send us an example of a message they received. It always turned out to be some perfectly innocuous message from a poster -- the standard sort of thing you see all the time -- asking for a contractor recommendation, or looking for some jhard-to-get food item, or maybe talking about that darned service lane. We’d look at the sample message, and see the name of the subscriber at the bottom of the message, and it would turn out to be a fake email address. So we’d ban that address. And we’d think, “Great!, problem over!” And then a week later, it would happen again, with another fake email address, and another annoyed non-member.
The fake email addresses tended to conform to a certain pattern – a first name / last name followed by 3 random letters at AOL.com or AIM.com. So we started deleing any new members that fit that pattern. And again, we thought the problem was solved.
But now things seem to be getting worse. Fake email addresses have been cropping up with a number of variations on the pattern, or not fitting any pattern at all. And worse, some of our members have received harassing off-list replies to their posts. A person would post a perfectly ordinary message, for example, seeking passes to a museum, and that message would be passed along by the malware/fake email address to some unwilling recipient in Iowa or Oregon, and that person, quite incensed at receiving a request from a complete stranger in Washington, DC, would hit the reply button and accuse the poster of spamming them. “Stop emailing me!” they’d demand. And the poor poster would have no idea what was going on. (This happens because the reply default on the listserv is “reply to sender”).
For some time I’ve been sending out template notes explaining this whole sorry mess – with one sort of note that goes to the poster who asks, “Why did my message go to this non-member?” and another to the non-member who asks, “Why am I being spammed by the Cleveland Park Listserv?”
All the while we’ve been waiting on the owners/software engineers at Groups.io to figure out how this malware program works and root it out of their system. We know they’re working on it – just haven’t licked it so far. We know that they’ve been banning fake email memberships at the global level – because sometimes after I get a complaint about one of our misdirected messages, I go to the membership list to ban the fake email address, and I see it isn’t there. When I check the list of past members, I see that the higher-ups at Groups.io have already banned that address throughout the Groups.io system.
But I’ve come to the conclusion it’s time to stop waiting for them to get to the bottom of this. Time to stop letting fake email addresses slip into our membership in the first place, banning them after some damage has already been done. Time to zap them before they join.
Hence the change from “Anyone can join” to “New members must apply for membership.”
In a way, it’s swapping one chore for another. Instead of waiting for complaints and banning fake members – a few times a week -- I’ll be looking at membership applications multiple times a day. The CP Listserv usually grows by 2 or 3 (legitimate) members a day. Of course, we do expect to see a decline in the growth of the Listserv, once people can’t just join at will; we know that lots of people won’t jump through any hoops to sign up for a listserv. So that’s the downside. But the upside will be, at long last, the end to this hacker’s malware mischief.
Well, this is a rather long-winded explanation for the demise of our old open membership policy. And I will have even more to say about it tomorrow, in my “Still Life with Robin” column (if you’re interested).
Thanks for sticking with us this far! And if you have received a complaint from someone who got your listserv post by mistake --and you didn’t previously write to me to let me know about it-- well, now you know what that was all about!
Best to all!
The Cleveland Park Listserv
CP Home Page: https://groups.io/g/clevelandpark
CP Info Pages: www.cleveland-park.com