Hi all,
I sent what I thought was a very important request to one of the Fedora lists which was quickly beaten down, and I did not receive anything back on subsequent replies. I would appreciate your help in making sure that the lists are safe for all of us. I'm actually going to the trouble of subscribing to nearly all of the Red Hat mailing lists just to get the word out.
One thing that I have done recently was to search for my e-mail addresses on the Internet web pages to find all of the places that list them. Why bother doing this? Just like how Google has spiders that crawl the Internet to gather general information, spammers have spiders that crawl the Internet to gather e-mail addresses to spam people. I have contacted all of the websites who did not modify my e-mail addresses (mostly on mailing lists) in such that they cannot be collected. Red Hat has done at least one thing right in that they have modified everyone's e-mail address in their web archive, such that it reads something like <walrus bellsouth.net> for mine.
However Red Hat has left one big gaping whole that the spam spiders can still crawl into. There is a complete active mirror of these lists as postable newsgroups kept on a service called Gmane http://gmane.org. I'm using Gmane to write this message to you now. It's a pretty sophisticated setup, has safeguards to prevent spam getting posted, and they use Spam Assassin to clean up stuff that still ends up on the list (except you have to filter it yourself on the newsgroup interface). The only problem is that spam spiders crawl the newsgroups to collect e-mail addresses.
Gmane has a safeguard to prevent this, but it has to be turned on by the list administrator. Gmane can encrypt the e-mail addresses on the list such that any mail sent to them is routed through Gmane first, and then the sender must under go a challenge-response before the message gets routed to the actual recipient. Of all of the Red Hat lists I've only found two newsgroup mirrors that use address encryption: gmane.linux.redhat.fedora.java <fedora-java-list>, and gmane.redhat.taroon <taroon-beta-list>.
If you would like to see the Red Hat newsgroup mirrors have encrypted e-mail addresses, please reply to this topic and discuss. If you are even more brave (important since some of these lists are high-volume and not everything gets read), please contact your list administrator directly at listname-admin@redhat.com. If someone knows how to get the word out on the international lists or to their administrators (since I don't speak multiple tongues), please do so. If someone knows who to contact who can make all of the newsgroups have encrypted e-mail addresses going above all of the list administrators (maybe the person who decided to obfuscate them all on the web archive?) please contact him or her and let us know how to contact that person.
Thanks so much, William
I noticed that my spam levels (the stuff that got through the gmail filter) shot up within days of my first post to the fedora developers list. Coincidence? I suspect not.
Joe.
On 4/13/05, William M. Quarles walrus@bellsouth.net wrote:
Hi all,
I sent what I thought was a very important request to one of the Fedora lists which was quickly beaten down, and I did not receive anything back on subsequent replies. I would appreciate your help in making sure that the lists are safe for all of us. I'm actually going to the trouble of subscribing to nearly all of the Red Hat mailing lists just to get the word out.
One thing that I have done recently was to search for my e-mail addresses on the Internet web pages to find all of the places that list them. Why bother doing this? Just like how Google has spiders that crawl the Internet to gather general information, spammers have spiders that crawl the Internet to gather e-mail addresses to spam people. I have contacted all of the websites who did not modify my e-mail addresses (mostly on mailing lists) in such that they cannot be collected. Red Hat has done at least one thing right in that they have modified everyone's e-mail address in their web archive, such that it reads something like <walrus bellsouth.net> for mine.
However Red Hat has left one big gaping whole that the spam spiders can still crawl into. There is a complete active mirror of these lists as postable newsgroups kept on a service called Gmane http://gmane.org. I'm using Gmane to write this message to you now. It's a pretty sophisticated setup, has safeguards to prevent spam getting posted, and they use Spam Assassin to clean up stuff that still ends up on the list (except you have to filter it yourself on the newsgroup interface). The only problem is that spam spiders crawl the newsgroups to collect e-mail addresses.
Gmane has a safeguard to prevent this, but it has to be turned on by the list administrator. Gmane can encrypt the e-mail addresses on the list such that any mail sent to them is routed through Gmane first, and then the sender must under go a challenge-response before the message gets routed to the actual recipient. Of all of the Red Hat lists I've only found two newsgroup mirrors that use address encryption: gmane.linux.redhat.fedora.java <fedora-java-list>, and gmane.redhat.taroon <taroon-beta-list>.
If you would like to see the Red Hat newsgroup mirrors have encrypted e-mail addresses, please reply to this topic and discuss. If you are even more brave (important since some of these lists are high-volume and not everything gets read), please contact your list administrator directly at listname-admin@redhat.com. If someone knows how to get the word out on the international lists or to their administrators (since I don't speak multiple tongues), please do so. If someone knows who to contact who can make all of the newsgroups have encrypted e-mail addresses going above all of the list administrators (maybe the person who decided to obfuscate them all on the web archive?) please contact him or her and let us know how to contact that person.
Thanks so much, William
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
Thanks for the input. Contact the list administrator if you would like to see address encryption turned on for Gmane to safeguard against that.
Thanks, William
Joe Desbonnet wrote:
I noticed that my spam levels (the stuff that got through the gmail filter) shot up within days of my first post to the fedora developers list. Coincidence? I suspect not.
Joe.
On 4/13/05, William M. Quarles walrus@bellsouth.net wrote:
Hi all,
I sent what I thought was a very important request to one of the Fedora lists which was quickly beaten down, and I did not receive anything back on subsequent replies. I would appreciate your help in making sure that the lists are safe for all of us. I'm actually going to the trouble of subscribing to nearly all of the Red Hat mailing lists just to get the word out.
One thing that I have done recently was to search for my e-mail addresses on the Internet web pages to find all of the places that list them. Why bother doing this? Just like how Google has spiders that crawl the Internet to gather general information, spammers have spiders that crawl the Internet to gather e-mail addresses to spam people. I have contacted all of the websites who did not modify my e-mail addresses (mostly on mailing lists) in such that they cannot be collected. Red Hat has done at least one thing right in that they have modified everyone's e-mail address in their web archive, such that it reads something like <walrus bellsouth.net> for mine.
However Red Hat has left one big gaping whole that the spam spiders can still crawl into. There is a complete active mirror of these lists as postable newsgroups kept on a service called Gmane http://gmane.org. I'm using Gmane to write this message to you now. It's a pretty sophisticated setup, has safeguards to prevent spam getting posted, and they use Spam Assassin to clean up stuff that still ends up on the list (except you have to filter it yourself on the newsgroup interface). The only problem is that spam spiders crawl the newsgroups to collect e-mail addresses.
Gmane has a safeguard to prevent this, but it has to be turned on by the list administrator. Gmane can encrypt the e-mail addresses on the list such that any mail sent to them is routed through Gmane first, and then the sender must under go a challenge-response before the message gets routed to the actual recipient. Of all of the Red Hat lists I've only found two newsgroup mirrors that use address encryption: gmane.linux.redhat.fedora.java <fedora-java-list>, and gmane.redhat.taroon <taroon-beta-list>.
If you would like to see the Red Hat newsgroup mirrors have encrypted e-mail addresses, please reply to this topic and discuss. If you are even more brave (important since some of these lists are high-volume and not everything gets read), please contact your list administrator directly at listname-admin@redhat.com. If someone knows how to get the word out on the international lists or to their administrators (since I don't speak multiple tongues), please do so. If someone knows who to contact who can make all of the newsgroups have encrypted e-mail addresses going above all of the list administrators (maybe the person who decided to obfuscate them all on the web archive?) please contact him or her and let us know how to contact that person.
Thanks so much, William
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
On Wed, 2005-04-13 at 13:30 -0400, William M. Quarles wrote:
spammers have spiders that crawl the Internet to gather e-mail addresses to spam people. I have contacted all of the websites who did not modify my e-mail addresses (mostly on mailing lists) in such that they cannot be collected.
Yes they do have spiders. And I'd bet that most of those spiders know how to turn "user at example.com" and many of the other common obfuscations into "user@example.com". And if that doesn't work, they'll just subscribe to all of the mailing lists that they can find to harvest email addresses directly from the emails. And if that doesn't work they'll just try dictionary attacks against your SMTP server. And once one spammer has your email address they'll quickly sell it to every other spammer.
This all just goes to show that you can't hide your email address. They'll find it one way or the other, sooner or later. So I wouldn't waste a lot of time trying.
Instead, investigate one of the many spam filtering systems out there. Since I see that you are using Mozilla, take a look at:
http://www.mozilla.org/mailnews/spam.html
Jeff
On Wed, 13 Apr 2005 12:52:22 -0500, Jeffrey C. Ollie jeff@ocjtech.us wrote:
Yes they do have spiders. And I'd bet that most of those spiders know how to turn "user at example.com" and many of the other common obfuscations into "user@example.com". And if that doesn't work, they'll just subscribe to all of the mailing lists that they can find to harvest email addresses directly from the emails. And if that doesn't work they'll just try dictionary attacks against your SMTP server. And once one spammer has your email address they'll quickly sell it to every other spammer.
This all just goes to show that you can't hide your email address. They'll find it one way or the other, sooner or later. So I wouldn't waste a lot of time trying.
Instead, investigate one of the many spam filtering systems out there. Since I see that you are using Mozilla, take a look at:
This is nuts.
The best defense against spam is a defense in depth. It makes sense to filter spam at the mail server and the mail client, but it also makes sense to prevent one's address from being exposed to spammers.
I had one address that was so popular for viruses and spams that the mail server was regularly failing in one way or another because of the load, and I ultimately abandoned that account.
Yes, "user at example.com" is lame, but you can do a lot better by requiring:
(i) that a user have to perform a complicated task (register and log in, for instance) in order to harvest an address, and (ii) wrapping the address in javascript + funny HTML tricks (for instance, using numeric entities for characters, inserting comments into the text) to make sure anything less than a complete HTML parser won't get the address.
These two actions will sideline general-purpose spamcrawlers that are trying to crawl te whole web. A defense against specialized webcrawlers involves keeping an eye on the behavior of crawlers -- prohibit legitimate crawlers from attempting to get e-mail addresses, and firewall any site that requests too many of them.
(And yes, I work on a site that periodically does get attacked with specialized webcralwers trying to do just that.)
The point of (ii) is to protect against worms/viruses that scan the browser caches -- you're better off the harder it is for a worm to parse it...
I've had the same extremely public email address for ten years, and spam is a total non-problem for me.
Learn to use filters, and get an ISP that subscribes to MAPS UBL and quit your whining.
Or, don't use email.
Intentionally obfuscating or hiding email addresses destroys the utility of mail as a communications medium. This cure is worse than the disease.
Jamie Zawinski wrote:
I've had the same extremely public email address for ten years, and spam is a total non-problem for me.
Learn to use filters, and get an ISP that subscribes to MAPS UBL and quit your whining.
Or, don't use email.
Intentionally obfuscating or hiding email addresses destroys the utility of mail as a communications medium. This cure is worse than the disease.
Why, changing my e-mail address to read walrus bellsouth.net on the Red Hat site is too challenging for you? At least it fools a stupid computer looking for it. Although I agree that when the archives completely delete e-mail addresses than it is useless, but the archives that I have contacted about that say that they have to because they get daily requests from people to completely remove even obfuscated e-mail addresses.
Look into the Gmane encryption, it is a worthwhile solution to the news spider problem. And it doesn't inhibit the functioning of the mailing list whatsoever. If you don't use Gmane the only reason why you would care is because it keeps the spam spiders away, and that's a good thing to care about.
William
On Wed, 2005-04-13 at 16:53 -0400, William M. Quarles wrote:
Why, changing my e-mail address to read walrus bellsouth.net on the Red Hat site is too challenging for you? At least it fools a stupid computer looking for it. Although I agree that when the archives completely delete e-mail addresses than it is useless, but the archives that I have contacted about that say that they have to because they get daily requests from people to completely remove even obfuscated e-mail addresses.
Look into the Gmane encryption, it is a worthwhile solution to the news spider problem. And it doesn't inhibit the functioning of the mailing list whatsoever. If you don't use Gmane the only reason why you would care is because it keeps the spam spiders away, and that's a good thing to care about.
Could you please stop this discussion? As far as I can tell, this has nothing to do with development of Fedora.
Refer to: http://fedora.linux.duke.edu/wiki/PostIsOffTopic
/B
Brian Pepple wrote:
Could you please stop this discussion? As far as I can tell, this has nothing to do with development of Fedora.
I read your URL. While it has "nothing" to do with development of Fedora, it does have to do with the existence of the list itself and is therefore relevant.
William
On Wed, 2005-04-13 at 21:22 -0400, William M. Quarles wrote:
I read your URL. While it has "nothing" to do with development of Fedora, it does have to do with the existence of the list itself and is therefore relevant.
No, it is not relevant. This is something only the sysadmins can change, and hence is definitely off-topic for the mailing list.
/B
Paul A. Houle wrote:
On Wed, 13 Apr 2005 12:52:22 -0500, Jeffrey C. Ollie jeff@ocjtech.us wrote:
Yes they do have spiders. And I'd bet that most of those spiders know how to turn "user at example.com" and many of the other common obfuscations into "user@example.com".
<Snip>
This is nuts.
Yes.
The best defense against spam is a defense in depth. It makes sense
to filter spam at the mail server and the mail client, but it also makes sense to prevent one's address from being exposed to spammers.
<snip>
Yes, "user at example.com" is lame, but you can do a lot better
by requiring:
<yada-yada-yada>
Apparently you guys haven't bothered to look at what Gmane actually does to inhibit the spiders. It's not just "user at example.com." They do that on the website for groups that fail to do the following: they actually *encrypt* your e-mail address and force the sender to verify themselves. Read more.
William
On 4/13/05, William M. Quarles walrus@bellsouth.net wrote:
Apparently you guys haven't bothered to look at what Gmane actually does to inhibit the spiders. It's not just "user at example.com." They do that on the website for groups that fail to do the following: they actually *encrypt* your e-mail address and force the sender to verify themselves. Read more.
I've read that url.. and it says that list maintainers have to REQUEST encryption to be turned on. Its not somethign list maintainers turn on themselves.. it something gmame turns on at the request of list maintainers. That url doesn't even explain to whom at gmame you make the request.
If this is a gmame feature that list maintainers have to request be turned on... why the hell isnt gmame turning this feature on by default for ALL the lists they archive? Why do list maintainers have to request this feature? Why do list maintainers have to know about gmame's existance at all? gmame needs to turn this on for ALL the lists they archive and then let maintainers opt-out of it instead of opt-in. I consider this a problem with how gmame is managed. They should be defaulting to encypted usernames in the newgroup archives and save list maintainers the trouble of tracking this down and interacting with gmame at all.
-jef
On Wed, 2005-04-13 at 17:49 -0400, Jeff Spaleta wrote:
If this is a gmame feature that list maintainers have to request be turned on... why the hell isnt gmame turning this feature on by default for ALL the lists they archive?
Because Jamie's right, and not all list owners are weenies who don't actually realise that.
Jeff Spaleta wrote:
On 4/13/05, William M. Quarles walrus@bellsouth.net wrote:
Apparently you guys haven't bothered to look at what Gmane actually does to inhibit the spiders. It's not just "user at example.com." They do that on the website for groups that fail to do the following: they actually *encrypt* your e-mail address and force the sender to verify themselves. Read more.
I've read that url.. and it says that list maintainers have to REQUEST encryption to be turned on. Its not somethign list maintainers turn on themselves.. it something gmame turns on at the request of list maintainers. That url doesn't even explain to whom at gmame you make the request.
List maintainers request it on the form when they add their list to the service, or they can contact the Gmane staff directly to request such a change afterwards. It isn't so hard.
If this is a gmame feature that list maintainers have to request be turned on... why the hell isnt gmame turning this feature on by default for ALL the lists they archive? Why do list maintainers have to request this feature? Why do list maintainers have to know about gmame's existance at all? gmame needs to turn this on for ALL the lists they archive and then let maintainers opt-out of it instead of opt-in. I consider this a problem with how gmame is managed. They should be defaulting to encypted usernames in the newgroup archives and save list maintainers the trouble of tracking this down and interacting with gmame at all.
Rather than complaining about how who does what let's get down to this: if you want address encryption turned on for Gmane, contact the list administrator. It is not very hard for them to take care of, trust me.
Thanks, William
On Wed, Apr 13, 2005 at 14:24:21 -0400, "Paul A. Houle" ph18@cornell.edu wrote:
The best defense against spam is a defense in depth. It makes sense to filter spam at the mail server and the mail client, but it also makes sense to prevent one's address from being exposed to spammers.
Then don't post to public mailing lists.
William, you are off-topic for this mailing list. Your request of the added header necessary for Gmane to translate e-mail addresses in their archives is nothing something that I can do myself, and need to ask our sysadmins to do.
While this may help, it will only a little. Nothing stops spammers from subscribing to all lists and getting all e-mail addresses that way. And nothing stops other people from making the list archives available elsewhere. As I said earlier THIS IS NOT A SOLUTION.
Warren Togami wtogami@redhat.com