Subject: Re: SPAM Alert: Email Address Harvesting
To: NetBSD Current <firstname.lastname@example.org>
From: Joel Baker <email@example.com>
Date: 01/02/2004 23:20:29
Content-Type: text/plain; charset=us-ascii
On Fri, Jan 02, 2004 at 07:17:09PM -0700, Bruce J.A. Nourish wrote:
> A few months ago, I wrote a long, eloquent missive on on precisely this
> subject. Nobody gave a shit.
Didn't see it; can't comment.
> One reply was not worth reading, the other defended the status quo, saying
> that unscrambling hidden email addresses made replying to posts
> prohibitively difficult. Without disrespect to that poster, who I get
> along great with, I think that is the most pathetic argument I have ever
> heard in my life.
How about this one, then? "I doesn't work."
It has, in fact, been proven *not* to work. Want to know the fairly
obvious reason why? Because spammers are in it for the money - and as
such, they can hire people who are better at perl, or your choice of text
sieving/sorting/mangling engine, than 99.99% of the rest of the world.
Because it pays off, even with that expense.
And even if you made it completely non-machine-parseable (graphics of the
address, for example - not that that's completely unparseable, just much
more difficult), they'll just start paying someone in East Malaysia 2 cents
an address for human processing. And that person will still be making five
times the going rate, for a day's work.
In other words, it causes inconvenience to legitimate users, and spares
them exactly... no hassle.
However, since you clearly have the technical acumen to handle multiple
addresses, and know how you think they should be obfuscated, you can always
do your own study, and confirm (or disprove) those done so far. IT's
actually cheap, easy, and even potentially useful if done rigorously. Just
generate, say, a couple of hundred of random addresses, scatter them around
the 'Net in a vairety of ways, obfuscated nad otherwise - just be sure you
balance all of them. Then sit back, and measure the rate of spamming over,
say, six months, at 1-hour intervals. Won't take much in the way of data
storage; if you don't use them for any legitimate email, you can assume
every incoming message is spam, and just keep a count, rather than the
Believe me, I'd *love* to hear that someone found an obfuscation method
that actually worked. Of course, if you do, it probably won't work for more
than a week or so, before someone comes up with a way to crack it, but one
(As secondary proof - stop and consider how many places have subscriptions
to lists like this that *don't* obfuscate it, outside the main archives. Or
were you proposing to do double-blind list mangling to prevent anyone from
being able to tell, in a text client, who actually sent the email?)
Joel Baker System Administrator - lightbearer.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
-----END PGP SIGNATURE-----