Subject: Re: Obfuscation
To: None <netbsd-users@netbsd.org, rkr@olib.org>
From: Bruce J.A. Nourish <bjan@bjan.net>
List: netbsd-users
Date: 09/13/2003 00:44:32
On Sat, Sep 13, 2003 at 01:36:22AM -0500, Richard Rauch wrote:
> Re. http://mail-index.netbsd.org/netbsd-users/2003/09/12/0019.html
> 
> I don't know if there's any danger that the list policies will change,
> but I thought that I'd voice my opinion since the subject's been raised...
>
> Imagine my surprise, Bruce, to discover that I am not a regular reader of
> this list.

Granted, this was probably a silly comment...

> My take on it is:
> 
>  * That the list can be harvested is fairly self-evident.  Most users on here
>    are bright enough to construct "containment" email accounts if they so
>    desire (as you have done).

Containment accounts are a blunt weapon. If you close one, people who
only know the containment address cannot contact you in future. Does
that not dissuade replies?

>    Since you don't have to be subscribed to the list, you could even just
>    use a totally bogus email address that you never check (have it dump into
>    /dev/null) and leave a hint in your .signature about how to really
>    contact you.

What is that signature "hint" if not an obfuscated email address (and
therefore subject to your own critique of obfuscated email addresses)?

>  * "Obfuscation", if it really obscures the email address, hinders replies.

If you're using the NetBSD mail archives from a web browser, you have
already sacrificed the ability to reply easily. (I am not suggesting in
any way that the headers of live mail should be touched.) The 
obfuscation would be something that could be undone in your head. Say:

bjan+public@bjan.net -> bjan (plus) public (at) bjan (dot) net. 

This is trivial for a human to decode, but I believe it would be 
extraordinarily difficult to write a generalized parser that could
pick these addresses out with any degree of accuracy.

[snip]

>    Unless it's an *emergency*, it doesn't have to be a very high threshhold
>    before I feel that the person has put up their own walls and I just can't
>    be bothered scaling the walls, especially if it's on behalf of the other
>    person (e.g., someone asking for help *and* making it harder for me to
>    respond).  Another example of this kind of thing is when people use
>    quoted-printable on these lists, or attaching MIME64 copies of plain text
>    files such as dmesg output.  Such messages are just unreadable from mail-index,
>    so I've basically given up on them the last year or so.

Posting in weird/unreadable forms rarely has a justification. Rest 
assured that I do not _want_ to obfuscate my email address, I simply
_have_ to, to protect the integrity of my email account.

>  * If the "obfuscation" is sufficiently weak, then you're relying on
>    the spammers to not bother with you.  To me, that's about the same
>    strategy as the mailing list relying on spammers to not bother harvesting
>    the list...

It is not necessary to raise the obfuscation to the level of a homework 
problem; it suffices to make harvesting require human intervention. 

> Administratively raising the level of obfuscation on the list would certainly
> lower the number of off-list replies that I make.

See my previous remarks about bit-buckets, which are your suggested
remedy.

> And it wouldn't provide
> YOU any better protection than if you simply have your From:/Reply-To: headers
> dump to /dev/null for posting here.  I think that it's better to leave the
> level of openness/obscurity up to the posters.

Which is really what I propose: right now, you _don't_ have a choice.
You can:

 * Use a valid containment address, and get spammed; or
 * Use an invalid containment address. If an invalid From/Reply-To
   doesn't dissuade replies, I can't imagine what would.

Just my 1.60219e-19C.
-- 
Bruce J.A. Nourish <bjan+public@bjan.net> http://bjan.net