Re: Modern best practice for putting a contact email on the web
On Tue, 6 Apr 2021 08:18:29 +0200 wrote: > On Tue, Apr 06, 2021 at 10:07:20AM +0900, 황병희 wrote: > > Hellow, > > > > Celejar writes: > > > > > Hi, > > > > > > What's the recommended modern best practice for putting a contact email > > > address on the web while avoiding having it scraped by spam / fraud > > > bots? > > > > Personally i use Gmail. That is all. > > Personally, I think that Gmail is bad, because it not only > harvests your data (you gave them your permission), but also > mine (I didn't ;-) I agree - I do still use it, but only for some list traffic that's public anyway. Celejar
Re: Modern best practice for putting a contact email on the web
On Tue, 6 Apr 2021 11:31:29 +0500 "Alexander V. Makartsev" wrote: > On 06.04.2021 01:14, Celejar wrote: > >> On Mon, 5 Apr 2021 15:51:28 -0400 > >> Dan Ritter wrote: > >> Because it doesn't work. If it worked as well as, say, moving your > >> SSH port*, I would encourage it. It does not. > > Source? Is this your personal experience, or do you have some other > > basis for this? Cloudflare, for example, asserts that: > > > > "Cloudflare Email Address Obfuscation helps in spam prevention by > > hiding email addresses appearing in your pages from email harvesters > > and other bots, while remaining visible to your site visitors." > > > I think you see spam problem from the wrong perspective. > You might think "spammer" is a person with some home brewed script that > pray upon unsuspecting web-sites. I understand that they use sophisticated bots, not home-brewed scripts. > Spam is a whole industry and there are large spam groups who make profit > from spam alone. They are capable to create private and commercial > applications for data-mining and constantly update them with new tricks > to fight new obfuscation methods for an example. > They use collected data to create databases of emails (categorize them, > add country\area information, etc) which later could be traded among > spam community members and\or sold to companies who want to implement > aggressive advertisements. > So once your email, even if it was obfuscated, gets into said databases > there is no escape from spam. > This is the reason why obfuscation doesn't work. I understand your points, but at the end of the day, it still seems plausible to me that obfuscation could reduce (not eliminate, of course) the prevalence of a posted address in their various lists. I have a number of email addresses, and some get a lot more spam than others, so there's apparently no one central, authoritative spammer list that all email addresses quickly end up on. I do understand the consensus here, though, of people with more experience than I have, that obfuscation today is of little or no value. Here are some other discussions of the question I've come across, although some are ancient: https://www.w3.org/blog/systeam/2008/09/11/email_address_obfuscation/ https://stackoverflow.com/questions/748780/best-way-to-obfuscate-an-e-mail-address-on-a-website https://blog.mailtrap.io/email-obfuscation/ Celejar
Re: Modern best practice for putting a contact email on the web
On Tue, 6 Apr 2021 at 16:18, wrote: > Personally, I think that Gmail is bad, because it not only > harvests your data (you gave them your permission), but also > mine (I didn't ;-) Hi all, I completely agree with this statement, for private email. It is an excellent point. Whereas when subscribing to, and interacting with, a public mailing list such as this one, I felt that this concern does not apply. So I invite anyone who thinks differently to share their perspective on this point. I would be genuinely pleased to hear any differing opinions on that, in case I there is anything that I have overlooked. Thanks :)
Re: Modern best practice for putting a contact email on the web
On 06.04.2021 01:14, Celejar wrote: On Mon, 5 Apr 2021 15:51:28 -0400 Dan Ritter wrote: Because it doesn't work. If it worked as well as, say, moving your SSH port*, I would encourage it. It does not. Source? Is this your personal experience, or do you have some other basis for this? Cloudflare, for example, asserts that: "Cloudflare Email Address Obfuscation helps in spam prevention by hiding email addresses appearing in your pages from email harvesters and other bots, while remaining visible to your site visitors." I think you see spam problem from the wrong perspective. You might think "spammer" is a person with some home brewed script that pray upon unsuspecting web-sites. Spam is a whole industry and there are large spam groups who make profit from spam alone. They are capable to create private and commercial applications for data-mining and constantly update them with new tricks to fight new obfuscation methods for an example. They use collected data to create databases of emails (categorize them, add country\area information, etc) which later could be traded among spam community members and\or sold to companies who want to implement aggressive advertisements. So once your email, even if it was obfuscated, gets into said databases there is no escape from spam. This is the reason why obfuscation doesn't work. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄
Re: Modern best practice for putting a contact email on the web
On Tue, Apr 06, 2021 at 10:07:20AM +0900, 황병희 wrote: > Hellow, > > Celejar writes: > > > Hi, > > > > What's the recommended modern best practice for putting a contact email > > address on the web while avoiding having it scraped by spam / fraud > > bots? > > Personally i use Gmail. That is all. Personally, I think that Gmail is bad, because it not only harvests your data (you gave them your permission), but also mine (I didn't ;-) > Thanks for reading my thought ^^^ Now, I think The Balance™ is restored :-) Cheers - t signature.asc Description: Digital signature
Re: Modern best practice for putting a contact email on the web
On Mon, 05 Apr 2021 21:31:16 -0400
Stefan Monnier wrote:
> > I use some GMX accounts, and they apparently don't support plus
> > addressing (I just tried, and the message was refused with "550
> > Requested action not taken: mailbox unavailable."). I suppose it would be
> > nice if they did support it, but I can't really fault them for not
> > supporting a non-standard Google invention.
>
> It predates Google by a long shot.
> It was a fairly standard config option back in the days of sendmail+procmail.
Thanks for the correction. I just haven't been able to figure out how
much of a "standard" it actually is. Some RFCs (e.g.,
https://tools.ietf.org/html/rfc5233) acknowledge it as existing ("On
email systems that allow for 'subaddressing' or 'detailed
addressing' (e.g., "ken+si...@example.org") ..."), but it doesn't seem
to be a formal standard.
Celejar
Re: Modern best practice for putting a contact email on the web
> I use some GMX accounts, and they apparently don't support plus > addressing (I just tried, and the message was refused with "550 > Requested action not taken: mailbox unavailable."). I suppose it would be > nice if they did support it, but I can't really fault them for not > supporting a non-standard Google invention. It predates Google by a long shot. It was a fairly standard config option back in the days of sendmail+procmail. Stefan
Re: Modern best practice for putting a contact email on the web
Hellow, Celejar writes: > Hi, > > What's the recommended modern best practice for putting a contact email > address on the web while avoiding having it scraped by spam / fraud > bots? Personally i use Gmail. That is all. Thanks for reading my thought ^^^ Sincerely, Byung-Hee -- ^고맙습니다 _和合團結_ 감사합니다_^))//
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 19:39:43 -0400 Dan Ritter wrote: > Celejar wrote: > > On Mon, 5 Apr 2021 15:51:28 -0400 > > Dan Ritter wrote: > > > > > > Okay, but why isn't trying to limit spammers getting hold of an address > > > > a logical part of a defense in depth strategy? > > > > > > Because it doesn't work. If it worked as well as, say, moving > > > your SSH port*, I would encourage it. It does not. > > > > Source? Is this your personal experience, or do you have some other > > basis for this? Cloudflare, for example, asserts that: > > > > "Cloudflare Email Address Obfuscation helps in spam prevention by > > hiding email addresses appearing in your pages from email harvesters > > and other bots, while remaining visible to your site visitors." > > Source: experience from being actively involved in the Internet > for 25 years, including time on anti-spam initiatives at BBN and > Akamai, various mail anti-abuse working groups (now > https://www.m3aawg.org/ which I'm not currently involved with > particularly) and running personal and corporate mail servers > for most of that time. Sounds good to me :) > > > OK, use tagged addresses. Gmail has that feature for free. > > > > > > page and tell Gmail to spam-bin the old address. > > > > Worth considering, certainly. I try to avoid Gmail as much as possible > > (I know that I'm still using it for d-u), but I can check to see > > whether the other email providers I use support plus addressing. > > The good ones will. The best ones will also offer - addressing > on the same terms. Turns out that a bunch of idiots think that + > is not a valid mail left-hand-side character, but - is. I use some GMX accounts, and they apparently don't support plus addressing (I just tried, and the message was refused with "550 Requested action not taken: mailbox unavailable."). I suppose it would be nice if they did support it, but I can't really fault them for not supporting a non-standard Google invention. Celejar
Re: Modern best practice for putting a contact email on the web
On Mon, 2021-04-05 at 20:18 -0400, Dan Ritter wrote: > Jim Popovitch wrote: > > On Mon, 2021-04-05 at 19:39 -0400, Dan Ritter wrote: > > With experiences like that, you should be already well on your way to > > taking care of this: > > > > https://www.spamhaus.org/css/removal/record/2600:3c03::f03c:91ff:fe25:c4ae > > > > Your emails keep going into Spam/Bulk folders. :) > > They do that every so often. Spamhaus doesn't like Linode, and I > have a VM there that occasionally forwards mail for me. > > I ask them to unban it, they do, then a few weeks or months > later they blanket-ban Linode again. > > If it were more of an issue for me, I might consider switching. Try sending via ipv4 only to lists.d.o, etc. -Jim P.
Re: Modern best practice for putting a contact email on the web
Jim Popovitch wrote: > On Mon, 2021-04-05 at 19:39 -0400, Dan Ritter wrote: > With experiences like that, you should be already well on your way to > taking care of this: > > https://www.spamhaus.org/css/removal/record/2600:3c03::f03c:91ff:fe25:c4ae > > Your emails keep going into Spam/Bulk folders. :) They do that every so often. Spamhaus doesn't like Linode, and I have a VM there that occasionally forwards mail for me. I ask them to unban it, they do, then a few weeks or months later they blanket-ban Linode again. If it were more of an issue for me, I might consider switching. -dsr-
Re: Modern best practice for putting a contact email on the web
On Mon, 2021-04-05 at 19:39 -0400, Dan Ritter wrote: > Celejar wrote: > > On Mon, 5 Apr 2021 15:51:28 -0400 > > Dan Ritter wrote: > > > > > > Okay, but why isn't trying to limit spammers getting hold of an address > > > > a logical part of a defense in depth strategy? > > > > > > Because it doesn't work. If it worked as well as, say, moving > > > your SSH port*, I would encourage it. It does not. > > > > Source? Is this your personal experience, or do you have some other > > basis for this? Cloudflare, for example, asserts that: > > > > "Cloudflare Email Address Obfuscation helps in spam prevention by > > hiding email addresses appearing in your pages from email harvesters > > and other bots, while remaining visible to your site visitors." > > Source: experience from being actively involved in the Internet > for 25 years, including time on anti-spam initiatives at BBN and > Akamai, various mail anti-abuse working groups (now > https://www.m3aawg.org/ which I'm not currently involved with > particularly) and running personal and corporate mail servers > for most of that time. With experiences like that, you should be already well on your way to taking care of this: https://www.spamhaus.org/css/removal/record/2600:3c03::f03c:91ff:fe25:c4ae Your emails keep going into Spam/Bulk folders. :) Best wishes, -Jim P.
Re: Modern best practice for putting a contact email on the web
Celejar wrote: > On Mon, 5 Apr 2021 15:51:28 -0400 > Dan Ritter wrote: > > > > Okay, but why isn't trying to limit spammers getting hold of an address > > > a logical part of a defense in depth strategy? > > > > Because it doesn't work. If it worked as well as, say, moving > > your SSH port*, I would encourage it. It does not. > > Source? Is this your personal experience, or do you have some other > basis for this? Cloudflare, for example, asserts that: > > "Cloudflare Email Address Obfuscation helps in spam prevention by > hiding email addresses appearing in your pages from email harvesters > and other bots, while remaining visible to your site visitors." Source: experience from being actively involved in the Internet for 25 years, including time on anti-spam initiatives at BBN and Akamai, various mail anti-abuse working groups (now https://www.m3aawg.org/ which I'm not currently involved with particularly) and running personal and corporate mail servers for most of that time. > > OK, use tagged addresses. Gmail has that feature for free. > > > > page and tell Gmail to spam-bin the old address. > > Worth considering, certainly. I try to avoid Gmail as much as possible > (I know that I'm still using it for d-u), but I can check to see > whether the other email providers I use support plus addressing. The good ones will. The best ones will also offer - addressing on the same terms. Turns out that a bunch of idiots think that + is not a valid mail left-hand-side character, but - is. -dsr-
Re: Modern best practice for putting a contact email on the web
On Mon, 05 Apr 2021 16:50:30 -0400 Stefan Monnier wrote: > Celejar [2021-04-05 14:49:15] wrote: > > On Mon, 5 Apr 2021 14:12:07 -0400 Dan Ritter wrote: > >> Celejar wrote: > >> > What's the recommended modern best practice for putting a contact email > >> > address on the web while avoiding having it scraped by spam / fraud > >> > bots? > >> Assume that every address will be hit by spammers and scammers. > >> Put in appropriate antispam and antimalware precautions. > > Okay, but why isn't trying to limit spammers getting hold of an address > > a logical part of a defense in depth strategy? > > I think Dan is right: what he says is "the recommended modern practice". > Defense in depth has to be weighted against the annoyance for real > users, and sadly it's much easier to tweak a scraper once to handle > yet-another-obfuscation-trick than it is for real users to jump through > the same hoops (because those users only jump through those hoops once, > so they pay the full price rather than spreading the price over > millions of pages). > > >> Train your people to recognize spam and scams. > > I'm talking about a small hobby project that I run in my spare time. I > > just want to reduce spam to an address that I may put up to allow > > people to reach me. > > The only alternative is to use something else than email, which requires > users to have/create an account and authenticate themselves (e.g. an issue > tracker on SourceHut). Understood. In this particular case, at least, it will be difficult to do that, since I don't control the page in question - I just have the ability to drop some text / HTML into it. I suppose I could put a link on the page to a page that I do control, and have some type of form / login system there ... Celejar
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 21:57:50 +0100
Joe wrote:
> On Mon, 5 Apr 2021 16:10:05 -0400
> Celejar wrote:
>
> > On Mon, 5 Apr 2021 20:36:39 +0100
> > Joe wrote:
> >
> > > On Mon, 5 Apr 2021 14:49:15 -0400
> > > Celejar wrote:
> > >
>
> > > > Okay, but why isn't trying to limit spammers getting hold of an
> > > > address a logical part of a defense in depth strategy?
> > >
> > > It is, but if you are reachable then a human can enter your address
> > > on
> >
> > Yes, but humans don't scale the way bots do ;)
>
> No, but you don't care about how many other addresses are harvested,
> just about yours.
Well, actually I care about others as well ;)
But my point was that if it takes a human to scrape my email address,
then spammers are less likely to do it, since to scrape emails manually
at scale would be prohibitively expensive, whereas if the address can
be scraped by bots, then they will do it, since the cost of the bot can
be amortized over lots of addresses.
> > > Unfortunately, there's nothing to beat running your own mail server,
> > > which is not particularly high-maintenance after setup. The address
> > > at the top of this email was created nearly 23 years ago, and has
> > > been used widely around the Net, including several Usenet groups. I
> > > get between one and four spams a day in my inbox. As it happens, I
> > > put a new CIDR group on my blacklist today, for the first time in
> > > perhaps a year.
> >
> > I've certainly been tempted for a while. And I suppose that receiving
> > is less problematic then sending, where one apparently has to manage
> > reputation, worry about past users of an IP address, monitor
> > blacklists, etc.
> >
> Yes, sadly that boils down to having a competent ISP, and I know that
> in some parts of the world there's not much choice. In the UK, we have
> three good ISPs, one of which is amazing but expensive. In general, if
> you can find an ISP who will provide a fixed IPv4 address at little or
> no extra cost, they probably know what they're doing.
>
> It is possible to send through a smarthost, which an ISP may provide,
> without worrying about your own address, but you lose one of the
> advantages of your own server, of having troubleshooting information
> about outgoing emails. ('My message, ID , was accepted by your
> server at xx:yy:zz two days ago... what did you do with it?')
Understood.
Celejar
Re: Modern best practice for putting a contact email on the web
On Mon, Apr 05, 2021 at 04:14:52PM -0400, Celejar wrote: > On Mon, 5 Apr 2021 15:51:28 -0400 > Dan Ritter wrote: > > > Celejar wrote: > > > On Mon, 5 Apr 2021 14:12:07 -0400 > > > Dan Ritter wrote: > > > > > > > Celejar wrote: > > > > > Hi, > > > > > > > > > > What's the recommended modern best practice for putting a contact > > > > > email > > > > > address on the web while avoiding having it scraped by spam / fraud > > > > > bots? > > > > > > > > Assume that every address will be hit by spammers and scammers. > > > > Put in appropriate antispam and antimalware precautions. > > > > > > Okay, but why isn't trying to limit spammers getting hold of an address > > > a logical part of a defense in depth strategy? > > > > Because it doesn't work. If it worked as well as, say, moving > > your SSH port*, I would encourage it. It does not. > > Source? Is this your personal experience, or do you have some other > basis for this? Cloudflare, for example, asserts that: And what is their "source"? Judging by current spam pattern on the email server I administer, cloudflare (and sendgrid, google, MS) are a big contributer to spam by sneaking mail by dnsbl filter. They are rather a big part of the problem than part of an solution. > > "Cloudflare Email Address Obfuscation helps in spam prevention by > hiding email addresses appearing in your pages from email harvesters > and other bots, while remaining visible to your site visitors." Sure, bud! > > https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation- > -H -- Henning Follmann | hfollm...@itcfollmann.com
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 16:10:05 -0400
Celejar wrote:
> On Mon, 5 Apr 2021 20:36:39 +0100
> Joe wrote:
>
> > On Mon, 5 Apr 2021 14:49:15 -0400
> > Celejar wrote:
> >
> > > Okay, but why isn't trying to limit spammers getting hold of an
> > > address a logical part of a defense in depth strategy?
> >
> > It is, but if you are reachable then a human can enter your address
> > on
>
> Yes, but humans don't scale the way bots do ;)
No, but you don't care about how many other addresses are harvested,
just about yours.
> > >
> > Unfortunately, there's nothing to beat running your own mail server,
> > which is not particularly high-maintenance after setup. The address
> > at the top of this email was created nearly 23 years ago, and has
> > been used widely around the Net, including several Usenet groups. I
> > get between one and four spams a day in my inbox. As it happens, I
> > put a new CIDR group on my blacklist today, for the first time in
> > perhaps a year.
>
> I've certainly been tempted for a while. And I suppose that receiving
> is less problematic then sending, where one apparently has to manage
> reputation, worry about past users of an IP address, monitor
> blacklists, etc.
>
Yes, sadly that boils down to having a competent ISP, and I know that
in some parts of the world there's not much choice. In the UK, we have
three good ISPs, one of which is amazing but expensive. In general, if
you can find an ISP who will provide a fixed IPv4 address at little or
no extra cost, they probably know what they're doing.
It is possible to send through a smarthost, which an ISP may provide,
without worrying about your own address, but you lose one of the
advantages of your own server, of having troubleshooting information
about outgoing emails. ('My message, ID , was accepted by your
server at xx:yy:zz two days ago... what did you do with it?')
--
Joe
Re: Modern best practice for putting a contact email on the web
Celejar [2021-04-05 14:49:15] wrote: > On Mon, 5 Apr 2021 14:12:07 -0400 Dan Ritter wrote: >> Celejar wrote: >> > What's the recommended modern best practice for putting a contact email >> > address on the web while avoiding having it scraped by spam / fraud >> > bots? >> Assume that every address will be hit by spammers and scammers. >> Put in appropriate antispam and antimalware precautions. > Okay, but why isn't trying to limit spammers getting hold of an address > a logical part of a defense in depth strategy? I think Dan is right: what he says is "the recommended modern practice". Defense in depth has to be weighted against the annoyance for real users, and sadly it's much easier to tweak a scraper once to handle yet-another-obfuscation-trick than it is for real users to jump through the same hoops (because those users only jump through those hoops once, so they pay the full price rather than spreading the price over millions of pages). >> Train your people to recognize spam and scams. > I'm talking about a small hobby project that I run in my spare time. I > just want to reduce spam to an address that I may put up to allow > people to reach me. The only alternative is to use something else than email, which requires users to have/create an account and authenticate themselves (e.g. an issue tracker on SourceHut). Stefan
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 15:51:28 -0400 Dan Ritter wrote: > Celejar wrote: > > On Mon, 5 Apr 2021 14:12:07 -0400 > > Dan Ritter wrote: > > > > > Celejar wrote: > > > > Hi, > > > > > > > > What's the recommended modern best practice for putting a contact email > > > > address on the web while avoiding having it scraped by spam / fraud > > > > bots? > > > > > > Assume that every address will be hit by spammers and scammers. > > > Put in appropriate antispam and antimalware precautions. > > > > Okay, but why isn't trying to limit spammers getting hold of an address > > a logical part of a defense in depth strategy? > > Because it doesn't work. If it worked as well as, say, moving > your SSH port*, I would encourage it. It does not. Source? Is this your personal experience, or do you have some other basis for this? Cloudflare, for example, asserts that: "Cloudflare Email Address Obfuscation helps in spam prevention by hiding email addresses appearing in your pages from email harvesters and other bots, while remaining visible to your site visitors." https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation- ... > > > Train your people to recognize spam and scams. > > > > I'm talking about a small hobby project that I run in my spare time. I > > just want to reduce spam to an address that I may put up to allow > > people to reach me. > > OK, use tagged addresses. Gmail has that feature for free. > > I'll give you an example: when I registered for an account on > tvtropes.org, I handed them dsr-tro...@randomstring.org. > > A few months later, I knew that their database had been raided, > and since I had never received anything useful at that address, > I told my mailfilter to drop dsr-tropes@ into the spam bin. > > celejar+debianus...@gmail.com will be directed to your GMail > account. So will celejar+celerysticks@, celejar+support@, and > celejar+supportapril2...@gmail.com. > > When the spam load becomes too much, change it on the support > page and tell Gmail to spam-bin the old address. Worth considering, certainly. I try to avoid Gmail as much as possible (I know that I'm still using it for d-u), but I can check to see whether the other email providers I use support plus addressing. Thanks, Celejar
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 20:36:39 +0100 Joe wrote: > On Mon, 5 Apr 2021 14:49:15 -0400 > Celejar wrote: > > > On Mon, 5 Apr 2021 14:12:07 -0400 > > Dan Ritter wrote: > > > > > Celejar wrote: > > > > Hi, > > > > > > > > What's the recommended modern best practice for putting a contact > > > > email address on the web while avoiding having it scraped by spam > > > > / fraud bots? > > > > > > Assume that every address will be hit by spammers and scammers. > > > Put in appropriate antispam and antimalware precautions. > > > > Okay, but why isn't trying to limit spammers getting hold of an > > address a logical part of a defense in depth strategy? > > It is, but if you are reachable then a human can enter your address on Yes, but humans don't scale the way bots do ;) > a list. Or, as you suggest, OCR will eventually find it. > > > > > Train your people to recognize spam and scams. > > > > I'm talking about a small hobby project that I run in my spare time. I > > just want to reduce spam to an address that I may put up to allow > > people to reach me. > > > > > Unfortunately, there's nothing to beat running your own mail server, > which is not particularly high-maintenance after setup. The address at > the top of this email was created nearly 23 years ago, and has been used > widely around the Net, including several Usenet groups. I get between > one and four spams a day in my inbox. As it happens, I put a new CIDR > group on my blacklist today, for the first time in perhaps a year. I've certainly been tempted for a while. And I suppose that receiving is less problematic then sending, where one apparently has to manage reputation, worry about past users of an IP address, monitor blacklists, etc. > The next best method is a new free mailbox, with collection piped > through the anti-spam software of your choice. But I tried spamassassin > some years ago, and decided I couldn't spare the time that staying > ahead in the arms race was costing me. Maybe the maintainers have made > better algorithms since then. Celejar
Re: Modern best practice for putting a contact email on the web
Celejar wrote: > On Mon, 5 Apr 2021 14:12:07 -0400 > Dan Ritter wrote: > > > Celejar wrote: > > > Hi, > > > > > > What's the recommended modern best practice for putting a contact email > > > address on the web while avoiding having it scraped by spam / fraud > > > bots? > > > > Assume that every address will be hit by spammers and scammers. > > Put in appropriate antispam and antimalware precautions. > > Okay, but why isn't trying to limit spammers getting hold of an address > a logical part of a defense in depth strategy? Because it doesn't work. If it worked as well as, say, moving your SSH port*, I would encourage it. It does not. *Moving your SSH port does nothing for your security; it does reduce the number of log entries to ignore. > > Train your people to recognize spam and scams. > > I'm talking about a small hobby project that I run in my spare time. I > just want to reduce spam to an address that I may put up to allow > people to reach me. OK, use tagged addresses. Gmail has that feature for free. I'll give you an example: when I registered for an account on tvtropes.org, I handed them dsr-tro...@randomstring.org. A few months later, I knew that their database had been raided, and since I had never received anything useful at that address, I told my mailfilter to drop dsr-tropes@ into the spam bin. celejar+debianus...@gmail.com will be directed to your GMail account. So will celejar+celerysticks@, celejar+support@, and celejar+supportapril2...@gmail.com. When the spam load becomes too much, change it on the support page and tell Gmail to spam-bin the old address. -dsr-
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 14:49:15 -0400 Celejar wrote: > On Mon, 5 Apr 2021 14:12:07 -0400 > Dan Ritter wrote: > > > Celejar wrote: > > > Hi, > > > > > > What's the recommended modern best practice for putting a contact > > > email address on the web while avoiding having it scraped by spam > > > / fraud bots? > > > > Assume that every address will be hit by spammers and scammers. > > Put in appropriate antispam and antimalware precautions. > > Okay, but why isn't trying to limit spammers getting hold of an > address a logical part of a defense in depth strategy? It is, but if you are reachable then a human can enter your address on a list. Or, as you suggest, OCR will eventually find it. > > > Train your people to recognize spam and scams. > > I'm talking about a small hobby project that I run in my spare time. I > just want to reduce spam to an address that I may put up to allow > people to reach me. > > Unfortunately, there's nothing to beat running your own mail server, which is not particularly high-maintenance after setup. The address at the top of this email was created nearly 23 years ago, and has been used widely around the Net, including several Usenet groups. I get between one and four spams a day in my inbox. As it happens, I put a new CIDR group on my blacklist today, for the first time in perhaps a year. The next best method is a new free mailbox, with collection piped through the anti-spam software of your choice. But I tried spamassassin some years ago, and decided I couldn't spare the time that staying ahead in the arms race was costing me. Maybe the maintainers have made better algorithms since then. -- Joe
Re: Modern best practice for putting a contact email on the web
On Mon, Apr 05, 2021 at 02:49:15PM -0400, Celejar wrote: > On Mon, 5 Apr 2021 14:12:07 -0400 > Dan Ritter wrote: > > > Celejar wrote: > > > Hi, > > > > > > What's the recommended modern best practice for putting a contact email > > > address on the web while avoiding having it scraped by spam / fraud > > > bots? > > > > Assume that every address will be hit by spammers and scammers. > > Put in appropriate antispam and antimalware precautions. > > Okay, but why isn't trying to limit spammers getting hold of an address > a logical part of a defense in depth strategy? > All these methods are obfuscation. Sorry to say that is no strategy. They will be a waste of time. Dan pointed out the only option you have. I hve for years my e-mail out in the open. I get spam and there is not much I can do apout that. I however employ reasonable measures to minimize the amount of spam coming through. -H -- Henning Follmann | hfollm...@itcfollmann.com
Re: Modern best practice for putting a contact email on the web
On Mon, 5 Apr 2021 14:12:07 -0400 Dan Ritter wrote: > Celejar wrote: > > Hi, > > > > What's the recommended modern best practice for putting a contact email > > address on the web while avoiding having it scraped by spam / fraud > > bots? > > Assume that every address will be hit by spammers and scammers. > Put in appropriate antispam and antimalware precautions. Okay, but why isn't trying to limit spammers getting hold of an address a logical part of a defense in depth strategy? > Train your people to recognize spam and scams. I'm talking about a small hobby project that I run in my spare time. I just want to reduce spam to an address that I may put up to allow people to reach me. > -dsr- Celejar
Re: Modern best practice for putting a contact email on the web
Celejar wrote: > Hi, > > What's the recommended modern best practice for putting a contact email > address on the web while avoiding having it scraped by spam / fraud > bots? Assume that every address will be hit by spammers and scammers. Put in appropriate antispam and antimalware precautions. Train your people to recognize spam and scams. -dsr-
Modern best practice for putting a contact email on the web
Hi, What's the recommended modern best practice for putting a contact email address on the web while avoiding having it scraped by spam / fraud bots? I'm aware of many of the techniques in use, such as the ones discussed here: https://stackoverflow.com/questions/23002711/how-to-show-email-addresses-on-the-website-to-avoid-spams but I don't know how smart the current bots are and which methods are likely to still be effective. I want to use free software, of course, and I want to avoid server side stuff, since I want to put an address on a simple third party web page that I do not control but have the ability to put basic HTML on. I suppose I could use a text-to-image generator (a sort of reverse OCR), like this one: https://www.generateit.net/email-to-image/ but I'd rather find a FLOSS tool to do this, and I'd rather not provide the email address to some random site ;) And actually, I'm not sure this is really such a good solution anyway, since I'd probably have to find somplace to host the image, which is certainly doable, but it adds complications that I'd just as soon avoid. Is character entity substition likely to still work against current bots? http://www.wbwip.com/wbw/emailencoder.html Celejar
