Steve Murphy wrote:
I've noticed in the mailman-users archives, that if I view info
by thread (using the mailman archives as an example,)
which site is 2.1.10 based,
that all email addresses are present, but with a simple obfuscation.
(the "@" has been changed to " at ".) I can't help but to think
that this simple obfuscation is a joke. Any harvester written in the
past number of years would be smart enough to capture such accurately.
This is a well-known weakness. Please feel free to upload a suggested patch
to <http://sourceforge.net/tracker/?atid=300103&group_id=103&func=browse>,
or at least file a Request For Enhancement at
<http://sourceforge.net/tracker/?atid=350103&group_id=103&func=browse>.
When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see [EMAIL PROTECTED].
That's the external searchable archives provided by mail-archive.com, which
is actually available for both mailman-users and mailman-developers.
The gzip'd archives by month for both lists both show all email
addresses, with the " at " obfuscation.
Yup. That's part of the standard internal pipermail archiving process.
Within MINUTES of my first posting on asterisk-users, I was getting spam
on an email address that was brand-new. Since then, the spam volume
on that email addr just keeps growing.
We've known that this weakness was a potential issue for years. However, I
don't recall our ever hearing a specific case where this weakness was
actually being exploited.
If you look at those "patches" and "RFE" pages, you'll note that there are a
large number of things that people want from Mailman (200-300 things or more
per category), and since this is a 100% volunteer-supported project, our
developers have limited time and resources to be able to devote to fixing
each and every little thing that people have asked for.
We need to rethink how we can adequately keep emails out of spammers hands.
Even with better obfuscation, the spammers will always be able to silently
subscribe to the lists and harvest addresses that way. There's no way to
stop them from doing that.
And, yes, it's kinda unhandy not read a message and not be able to fire an email
off to the author directly. But to make it easy for list subscribers, is to
make it easy
for spammers, who probably have already joined the list, and are delighted
to get email addresses, any which way they can.
We can't obscure messages that we send out. Otherwise, they wouldn't get
delivered. You do have to have some basic understanding of how Internet
e-mail works before you can talk intelligently about what could or should be
done.
We need to lock down mailman, or at least make it an option! Simply put,
in messages sent to users, the only email that should be found anywhere
in a recieved message, is the recipient's.
If a list admin chooses, they can always enable anonymization. But there's
a reason why no one wants to do this. Go talk to the people running
anonymized lists to understand that problem more fully.
On a more general note, the more you break Internet e-mail in order to try
to stop the spammers, the more the bastards win.
You're continuing to make the critical mistake that everyone else does,
which is that you're trying to solve an inherently non-technical problem
with technical means. And that is a recipe for guaranteed disaster.
Spam is just another form of con job. And if the "oldest profession" is
prostitute, then the second oldest profession has to be "con artist". Con
jobs have been going on for thousands of years, and there's no evidence that
they will ever stop being perpetrated, at least not so long as our species
continues to have at least one member still alive.
So, you're not *EVER* going to get rid of spam. Give that fight up right
now. The best you can do is to try to cut it down to a dull roar, and make
sure that you're not one of the lower-hanging fruit.
Then always keep in the back of your mind that a sufficiently determined
attacker can get through the deepest and most powerful defenses -- if they
can assassinate presidents and other government leaders, then they can
certainly get through any defenses that people like you and me can afford to
create.
--
Brad Knowles <[EMAIL PROTECTED]>
Member of the Python.org Postmaster Team & Co-Moderator of the
mailman-users and mailman-developers mailing lists
------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Security Policy:
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
