Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
On Aug 25, 2009, at 7:42 AM, s...@pobox.com wrote: The other thing about Mailman's obfuscation is that I sorta think that by now the spammers have figured it out. I mean, "skip at pobox.com"? Come on. Even Barry stands a good chance of writing a regular expression that can locate something like that, his self-deprecation about his r.e. prowess notwithstanding. :-) If nothing else, all an enterprising spammer would have to do is steal Mailman's email address matcher and replace "@" with " at ". Oh, wait, it's open source. They wouldn't even have to steal the code. I've always wanted to re-architect the archives so that they would / always/ vend the messages from an active process. I wouldn't have any static files, except a cache for efficiency, and I would generate the HTML on demand. My guess is that 99% of all archived messages are never read by a human. The problem of course is spiders but I guess they'll just warm up your cache. ;/ This would allow: * easy redeployment of new obfuscation techniques * on demand take downs or sanitization * easy site regeneration for style changes. -Barry PGP.sig Description: This is a digitally signed message part ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
You are presuming too much on spammers as a whole. I've dealt with a couple spammers, and they just used some tools they got online that search for usern...@domain.something. Everything else is ignored. I don't for a minute doubt that the advanced spammers will snag anything and everything no matter how strange it is obfusticated (sp?). But there are a LOT of low-tech spammers still out there, and there is enough "low hanging fruit" for them that this little bit we are discussing can be over their head. Bob -- Original Message --- From: s...@pobox.com To: Ian Eiloart Cc: mailman-developers@python.org, Rich Kulawiec Sent: Tue, 25 Aug 2009 06:42:12 -0500 Subject: Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3 > Ian> Quite right. Rich's argument is, essentially, that obfuscation > Ian> isn't 100% effective so it shouldn't be used. Frankly, if > it's 10%Ian> effective, then it's worth doing in my view. > > I would be quite surprised if address obfuscation is anywhere close > to 10% effective. Maybe 0.01%. > > The problem I see with Barry's argument that users demand it so > Mailman must provide it is that position just propagates > misinformation about the ineffectiveness of the "feature". I would > vote for tossing it out, or at the very least making it a per-list > flag which admins could disable if they wanted. > > The other thing about Mailman's obfuscation is that I sorta think > that by now the spammers have figured it out. I mean, "skip at > pobox.com"? Come on. Even Barry stands a good chance of writing a > regular expression that can locate something like that, his self- > deprecation about his r.e. prowess notwithstanding. :-) If nothing > else, all an enterprising spammer would have to do is steal > Mailman's email address matcher and replace "@" with " at ". Oh, > wait, it's open source. They wouldn't even have to steal the code. > > -- > Skip Montanaro - s...@pobox.com - http://www.smontanaro.net/ > Getting old sucks, but it beats dying young > ___ > Mailman-Developers mailing list > Mailman-Developers@python.org > http://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://wiki.list.org/x/AgA3 > Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ > Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com > > Security Policy: http://wiki.list.org/x/QIA9 --- End of Original Message --- ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
Ian> Quite right. Rich's argument is, essentially, that obfuscation Ian> isn't 100% effective so it shouldn't be used. Frankly, if it's 10% Ian> effective, then it's worth doing in my view. I would be quite surprised if address obfuscation is anywhere close to 10% effective. Maybe 0.01%. The problem I see with Barry's argument that users demand it so Mailman must provide it is that position just propagates misinformation about the ineffectiveness of the "feature". I would vote for tossing it out, or at the very least making it a per-list flag which admins could disable if they wanted. The other thing about Mailman's obfuscation is that I sorta think that by now the spammers have figured it out. I mean, "skip at pobox.com"? Come on. Even Barry stands a good chance of writing a regular expression that can locate something like that, his self-deprecation about his r.e. prowess notwithstanding. :-) If nothing else, all an enterprising spammer would have to do is steal Mailman's email address matcher and replace "@" with " at ". Oh, wait, it's open source. They wouldn't even have to steal the code. -- Skip Montanaro - s...@pobox.com - http://www.smontanaro.net/ Getting old sucks, but it beats dying young ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
--On 24 August 2009 13:15:03 -0500 "Hopkins, Justin" wrote: Thanks for such a detailed and compelling post..but I must disagree. I can't refute any of the arguments you made, they are all quite sound, but I do take issue with your conclusion. Obfuscating the email addresses is just a part of 'defense in depth' - same as patching your computer, using a firewall, etc. Each layer, no matter how thin, still adds something. Cheers, Justin Quite right. Rich's argument is, essentially, that obfuscation isn't 100% effective so it shouldn't be used. Frankly, if it's 10% effective, then it's worth doing in my view. Further, Rich offers no evidence of significant harm done by obfuscation. Finally, there are other privacy concerns than spam harvesting that may also be mitigated by address obfuscation. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
Justin Hopkins writes: > Obfuscating the email addresses is just a part of 'defense in > depth' - same as patching your computer, using a firewall, > etc. Each layer, no matter how thin, still adds something. That's true. Rich's argument is more subtle than a claim that obfuscation is worth nothing, though. It is that benefits to obfuscation are small, and the cost is significantly larger than the benefit. You have to address the issue of the cost (obfuscating the address obstructs legitimate third-party users) as well. Note that the other strategies you mention -- patches, firewalls, etc -- do not impose costs on third parties, only on you. Personally, I subscribe to Rich's argument. I do not obfuscate my own addresses, and I argue against it when I have input into policy for processes like archiving mailing list posts. But Mailman needs to serve people who have different cost/benefit tradeoffs than Rich and I do -- I agree with you and Bernd that Mailman should provide the facility (though I would advise against relying on it, and generally deprecate its use, myself). ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
Thanks for such a detailed and compelling post..but I must disagree. I can't refute any of the arguments you made, they are all quite sound, but I do take issue with your conclusion. Obfuscating the email addresses is just a part of 'defense in depth' - same as patching your computer, using a firewall, etc. Each layer, no matter how thin, still adds something. Cheers, Justin ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9