On January 2, 2004 at 20:57, Chuq Von Rospach wrote: > maybe. Or maybe you do the work and find you merely made it harder, so > they had to throw another thousand machines at the problem. Which they > happily can. My argument is that anything that "solves" the problem > through computational complexity doesn't really solve it, not when the > enemy can write trojan horses that can link hundreds of thousands of > machines together and control what they do. Asking them "hey? want the
You are mixing two problems. As for more machines, that increases the cost to spammers, which many anti-spam proposals attempt to do, like hashcash. I.e. Spammers do what they do because it is cheap. If you can increase the cost of sending, it will eliminate much spam. As for trojans/worms/viruses, that is criminal activity and laws already exist to deal with it, so only criminal-minded spammers will attempt such things, and even for those that do, there are technical measures to mitigate the damage. For example, ISPs block SMTP traffic from personal home-based customers. > data this much? how about this much?" is a waste of resources and > creates a false sense of security. and it might work -- now -- but for > how long? Better to look for solutions that don't use the phrase "fixes > it for now" in them, and not have to re-engineer again down the road > when the spammers get around to cracking it. I basically agree, therefore, I find it futile to bother obfsucating my address. The cost of dealing with spam is low for me while obfsucating my addresses and making it more difficult for people to contact me is not worth the cost. > since privacy of e-mail addresses has become such a hot button because > of the spammer issue, I think you need to think about how your tools > are contributing to users being harvested by spammers, and how you can > set an example to try to solve those problems. not that this is a > problem you caused, but you have opportunities here to help change > mindsets around the net by defining a new acceptable standard for how > archives handle this data -- this problem found you, but it still needs > to be solved. I think handling of addresses in archives is per-archive maintainer issue since each maintainer will have a different set of requirements, goals, and policies. MHonArc should allow archive maintainers to exercise any policies they choose, not dictate them. IMO, obfsucation techniques are generally futile, but it is not my role to make that judgement for others if others obtain a benefit from doing it and believe they are effective. > > The only thing relevant to MHonArc is that it allows users to > > apply whatever solutions they want. > > And you, as it's author and developer and voice, are the person who > needs to help people understand how to use it properly and safely. if > they choose to ignore you, shame on them. If you don't give them that > information, then how can they hope to figure it out on their own? Right now, my policy of the mhonarc.org archives is to keep it open. But it is important that potential posters are properly informed of this. Therefore, I have to be convinced to change the way mhonarc.org archives are formatted, which would require a good number of people responding to me to make a change. And if that happens, I will probably take the approach of stripping/masking addresses out vs any obfsucation since I do not want to bother revisiting the problem as spammers become more sophisticated. > > The mhonarc.org lists are not private lists. MHonArc is an open > > source project, and all the lists are intended to be as open as > > possible. > So you think it's okay to hand all of your subscribers to the spammers > in the name of open source? People can subscribe, but never post. And since I document that any posts will be archived in a public matter, it is the choice of the poster if they want to take the risk of dealing with spam when posting. The subscriber list itself is not public. > you can keep the ARCHIVES open, without handing privacy data off to > those you can't trust. This isn't an either-or situation. it's a > question of how to build things to both protect users from those trying > to harm them AND distribute the key information. Both are possible. Right now, if someone wants their address to be private, than they should not post to the list, or to any Net-based mailing list for that matter, since any message to mailing lists can be posted on the Net by someone. To summarize, if there is enough demand by users that the lists will become useless, I will hide addresses. However, users must realize that my hiding of addresses on the mhonarc.org archives provides *no guarantees* that their address will be protected since I do not have control over what others do to messages sent to the list. The open nature of the list provides no false impressions about address privacy and makes the risks clear to anyone who chooses to post. --ewh