I don't disagree with most of your points, but I think the entire argument rests upon one flawed assumption: that the question is a binary one of whether your address is accessible to spammers. On the contrary, I think the issue is not whether at least one spammer will get the address (as you suggest, they inevitably will) but how much spam on average an address will receive. Presumably this will depend on how easy your address is to get and also whether the spammer knows it to be valid. Spamming a known valid address is much more likely to pay off than spamming addresses using a dictionary attack. I think it's probably true that if your address is published on a website (as my University one is) then there's probably not a lot to lose from putting your address on a key server. If your address is not explicitly published in that way, then it seems like you still might have something to lose, but, as I said, this is more about quantity of spam than getting no spam at all.
I can certainly understand the argument that you're going to get spam either way and there are benefits to having people be able to find your contact info, so maybe you just need to suck it up and get a good spam filter. I have yet to find the ideal spam filter, though, so I'm not still a bit on the fence here. Regards, Nick Rich Kulawiec wrote: > On Mon, Mar 24, 2008 at 11:01:49PM -0400, Nick Cummings wrote: > >> but it looks to me like that puts your email address out there where it >> can easily be picked up by spammers. >> > > I just wrote about this the other day, so let me take the lazy way > out and quote myself. I was responding to the suggestion that people > should remove their addresses from mailing list and newsgroup traffic, > and I covered obfuscation tactics while I was at it. > > --- quoting --- > > This is a futile tactic that will do nothing to stop competent spammers. > The only people it will have any meaningful effect on are those who > are trying to communicate with posters to mailing lists/newsgroups, > and possibly some of the newer, more amateurish spammers -- who will > learn, soon enough. The same can be said for the attempts at obfuscation > that are often claimed to have similar non-existent benefits. > > Here's why: > > First, spammers wrote the trivial bits of perl/awk/python/whatever > to unmunge obfuscated forms many years ago. So things like > [EMAIL PROTECTED] or rsk (at) gsp.org are pointless. > > Second, spammers have also long since done the requisite RFC 2142 and > statistical analysis to know that hostmaster@ is reasonably likely > to exist, as is webmaster@, john@, mary@, john.smith@, john.jones@, > aaa@, aab@, aac@, etc. So if your address matches any of the millions > of common patterns like that, then they'll have it soon, if they don't > already. (And given some of their methods: they don't really need > to have it anyway in order to spam it.) > > Third, unmunged addresses appear with regularity in message headers > *because they have to* in order for mail to work. I trust it's obvious > why obfuscating or eliding them elsewhere does nothing about this. > > Fourth, there are an enormous number of fully-compromised systems > worldwide. (Any estimate under 100 million is badly outdated. Recent > estimates have been in the 250-300 million range, and even that may be > too low.) Among the many uses that the new owners of those system have > for them is mass harvesting of email addresses -- which means that they > have long since gone through every address book, all stored mail, > and perhaps all stored documents as well. Note that some of those > compromised systems are mail servers, in which case the harvesting is > likely to be especially fruitful. > > Fifth, spammers have many other methods of acquiring addresses, > including but not limited to: > > querying mail servers (especially those with VRFY and EXPN on) > subscribing to mailing lists and harvesting everything > acquiring corporate directories (sometimes from their web sites) > insecure LDAP servers > insecure AD servers > spidering web sites > Usenet news feed > reverse engineering names to things like firstname.lastname > use of backscatter/outscatter > use of auto-responders > gaming of mailing list mechanisms > use of abusive "callback" mechanisms > use of abusive e-pending mechanisms > use of abusive challenge/response mechanisms > dictionary attacks > purchase of addresses in bulk on the open market. > purchase of addresses from vendors, web sites, etc. > purchase of addresses from registrars, ISPs, web hosts, etc. > > It's therefore probably best to assume at this point that ANY email > address is either (a) in the hands of spammers or (b) will be soon, > and to plan defenses accordingly. Pretending that it's otherwise, > that it's actually possible to keep most addresses out of their hands > indefinitely, is a head-in-the-sand strategy. > > (Yes, special-purpose addresses insulated from all this, only used > in isolated cases, extant only on highly secure mail servers that are > meticulously maintained, and sufficiently obscure as to avoid guesswork > may be exceptions. But clearly, given that spammers have escalated > from selling single CDs of compressed address lists to sets of multiple > DVDs, only a tiny, tiny fraction of all valid email addresses worldwide > fall into this category.) > > Moreover, it's impolite to send messages to a public mailing list or > newsgroup without providing a valid address for reply. Those who don't > want to participate in two-way communication are certainly not required > to; they're not, however, free to unilaterally attempt to make those > two-way channels one-way-only to suit their personal preference or > convenience. This is the online equivalent of shouting while sticking > your fingers in your ears so as not to hear replies. > > --- end quoting --- > > Let me just toss this extra tidbit in: > > Companies and universities and so on that use firstname.lastname or > first-initial.lastname or similar patterns are making things even > easier for spammers. I see spam attempts for richard.kulawiec and > rkulawiec and rich.kulawiec and so on all the time on my mail servers > even though those addresses have never existed here. Ironically, from > time to time over the years, I've read comments from some of the people > running mail operations that do this wondering out loud how spammers > came up with so many valid addresses so quickly. > > But...given all the other methods now available to spammers, this > probably isn't nearly as big a factor as it was 10 years ago. That > still doesn't make it a good idea (it's really not, for a myriad > of other reasons) but at least it means that it's not as comparatively > damaging as it once was. > > ---Rsk >
