On 2/27/01 11:16 PM, "David Sharp" <[EMAIL PROTECTED]> wrote:
> [Indeed I wonder to what extent the current dotcom meltdown is
> leading to mass violations of that type. But that's probably outside
> the scope of this list.]
>
> However in the nature of things, I assume it's probably very
> difficult for anyone to ever prove that someone has stolen or sold a
> membership list.
Not really, not with a little planning.
There are a number of people who are very privacy-sensitive. Some of them
actually create unique usernames for every list and site they're on. End
result: they know exactly where mail comes from, because it's uniquely
identified for them. And if it leaks, you can be sure, they'll let you know.
But admins who are worried about leakage should do what companies have done
for years: salt your data. You can subscribe AOL, or hotmail, or yahoo, or
(name your favorite free email) names that are ONLY used for the specific
purpose of trapping leakage. The problem, of course, is that those addresses
can (and do) leak in other ways -- I know I've never given out my AOL name,
I know it's never been used for anything by anyone who could leak it, and
yet, yo don't want to know how much spam I get there. So even though your
leak account 'leaks', you have to worry about whether you leaked, or whether
the host leaked.
My preference is to salt my lists (and archives!) with addresses at a
friendly domain that I can trust, is hopefully not easily attached to any
domain I'm attached to, and which doesn't call attention to itself.
That way, you can catch people who somehow get your address list or harvest
your archives (your archives are behind a password and locked out of global
search engines, right? If not -- don't bother trying to protect them, you've
already lost). (Digression -- if you post to list-managers, you will get
spammed, because the archives are wide-open, and are indexed in the global
search engines, and so the archives can be harvested because your e-mail
address has been published out to sites that you can't control access to,
and neither can mike as admin of list-managers, because list-mnagers is on
mail-archive.com, which is wide open. If you want to scare yourself, wander
through the major search engines and search on your email address -- because
you can be sure the spam harvesters do, and you'll find out how often your
carefully protected address is handed to them on a silver platter...
Wide-open archives are a long tradition with mail lists, and a rotten thing
to do on today's internet, and a much bigger issue than amazon's privacy
policy and some of the other strawmen that people yell about. Makes you
wonder how many list managers who scream about privacy are doing a worse job
for their users than the sites they scream about, but I won't go there....
End digression)
It won't catch folks who harvest by subscribing and sucking postings, to do
that, you actually have to post. Whether you do or not depends on lots of
factors, since it has other privacy and legitimacy issues, since you're (as
admin) going from salting your list with test addresses to creating a
falsified identity on your own list. That's going to some honk people off if
they find out.
What do I do? That would be telling. Other than saying my archives are
behind a password, are protected by a robots.txt, and aren't in the global
search engines or anywhere the spambots can get to without a lot of work,
but that I also have to find an EASIER way for users to get to them, because
the current system sucks -- but I'm not doing away with it until I can make
it easier without cutting security...
Chuq (who's going to get yelled at again, I'll bet...)
--
Chuq Von Rospach, Internet Gnome <http://www.chuqui.com>
[<[EMAIL PROTECTED]> = <[EMAIL PROTECTED]> = <[EMAIL PROTECTED]>]
Yes, yes, I've finally finished my home page. Lucky you.
Funny, I don't remember being absent minded.
