With Mike's permission, I am moving this over to gossip because it is of general interest.. Like everything else, I think this boils down to cost versus benefit.
The reply to button in message pages was used 610 times yesterday. I don't know a better way to commiserate with someone whose pet bunny rabbit had an impacted molar back in 2002 on a defunct mailing list. http://www.mail-archive.com/petbu...@lsv.uky.edu/msg00382.html We have several mechanisms in place to discourage automated abuse. They include from using HTTP POST, deliberately slowing down the response of the Reply To button, and two others. Most important is keeping one ear to the ground and watching for trouble. So far we haven't had any. Is this a guarantee? No. You are totally correct that a bad guy can get an email address. If she just wants one, it is trivial. And yes, an email address along with knowledge of the recipient could aid targeted phishing. >That way you cannot contribute in any way to the loss of someone's >bank account and credit card finances. Airport security in the US has passengers remove shoes, but don't go so far as strip searching everyone. That's where they draw their line. M-A draws the line to include the Reply-To button. Because at this point we think cost / benefit is in favor. It can be a dangerous world out there, but living in fear is no picnic either. On Sun, Jan 31, 2010 at 6:03 PM, Mail Archive Support wrote: > ---------- Forwarded message ---------- > From: Mike Monett > Date: Thu, Jan 28, 2010 at 7:57 PM > Subject: Re: Hi, I have a question > To: Mail Archive Support > > > >Hi Mike, > > > Thanks for writing. The reply button generates a mailto: link that > > is to the original poster only, not the whole list. It's not > > intended to allow people to post to the list - to do that, you > > need to subscribe to the list and post yourself. > > > The reason we use the reply button to generate the email address > > is to make life difficult for spammers. We avoid having plaintext > > emails in The Mail Archive as a form of protection from > > email-harvesting spam bots. > > > Hope this info helps. > > >Tom > >Support > >The Mail Archive > > Hi Tom, > > Thanks for taking the time to reply. I understand your explanation, > but I wonder why you want to have a reply button. I can see a very > serious problem if someone looks at the messages and forges the name > and email address of someone that person is talking with. > > He can easily send a pdf saying "Hi Dave, I did some studies on this > and here is my data." Since the message comes from a trusted source > who appears to be part of the group discussion, Dave will not > hesitate to open it. > > Only the pdf has a virus that takes control of Dave's computer. > > After stealing his bank account and credit card info, he can wipe > out his entire savings. He can then send the same pdf to others in > the group, masquerading as Dave. Then use their pc's in a botnet to > spam others. > > The same thing could happen if someone subscribed to the mailing > list. I often get phishing emails from the different mailing lists > that I subscribe to. But I use an email client that is ascii only, > and it will not even try to open a html file, or display a gif or > png, or try to open a pdf file. It allows me to check the file > first, and verify it is OK. If you are interested, the program is > called Pimmy, and it has saved my bacon many times when someone > sends me a gif that starts with the letters "MZ". > > Registering to join a mailing list takes time and is a lot more > trouble than simply browsing your archives. There could be a record > somewhere of the registration, so it might be possible to track the > person down. > > But anyone can browse your archives. You even provide lists so > people can check for active groups to have a better chance of > finding potential victims. And it would be extremely difficult to > trace anyone who used your archives to send phishing emails. > > I really think you should consider modifying your software to > eliminate the possibility of strangers getting someone's email > address. > > If someone wants to contact a person legitimately, let them join the > mailing list and contact them through it instead. > > That way you cannot contribute in any way to the loss of someone's > bank account and credit card finances. > > To close, I really have to congratulate you on the best mail archive > service I have found. There is a very good reason you are at the top > of the list in google. You have an outstanding and very professional > operation. I hope I can convince our list owner to join! > > Thanks, > > Mike Monett >