Slashdot Mirror

← Back to Stories (view on slashdot.org)

Volunteering for OSS == Sign Up for Spam?

Posted by Cliff on from the drawbacks-for-web-accessible-mailinglist-archives dept.

bckspc asks: "I've been getting pounded by spam lately, so did a Google search on my email address to see where it might appear on the Web. To my horror, it turned up several times in an archive of a Gnome listserv for a project I briefly participated in. While the email address is visibly obscured on the Web pages, it is quite intact in the HTML code. I emailed the list admin about obscuring or removing my email address, but was curtly dismissed. I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"

94 comments

  1. thats not what im worried about! by SkunkPussy · · Score: 5, Funny

    When I searched for my name, it was more the questions i'd answered geekily on some debian list about 4 or 5 years ago that concerned me. theres loads of them!
    And the debian lists are very well linked to its been hard for me to pursuade google to give higher priority to my own website, where I can make out I'm not a geek :-)

    --
    SURELY NOT!!!!!
  2. Short on solutions bar list admins clueing up by ffub · · Score: 5, Informative

    Try using simply foss@domain for lists, and them filter ad filter and filter it. I do agree this is very annoying, and although some listservs do respect this and change the email addresses on list servers, this can't be relied apon. I can't choose my participation based on which projects are going to give my email away.

    The only solution that will effectively work (until we fix the spam problem all round) is for list admins to be more careful about munging email addresses to some degree.

    The default setting for programs such as pipermail should be one where email addresses are not explicitly displayed.

    The best solution I've found to solve problems with email addresses online is Jodrell's mailto php script which renders the address obfuscated but displays it correctly in the browser using JavaScript.

    http://jodrell.net/projects/mailto

    1. Re:Short on solutions bar list admins clueing up by FattMattP · · Score: 1
      The best solution I've found to solve problems with email addresses online is Jodrell's mailto php script which renders the address obfuscated but displays it correctly in the browser using JavaScript.
      That's assuming that address harvesters aren't running their pages through a javascript interpreter first. Considering how sophisticated spammers' methods are becoming to deliver their messages I wouldn't doubt that their havesting methods are improving as well.
      --
      Prevent email address forgery. Publish SPF records for y
    2. Re:Short on solutions bar list admins clueing up by AmericanInKiev · · Score: 1

      Yes - but this points to a solution.

      Create a safe server which runs the decrypt. Have the safe sever identify IP addresses and restrict ip addresses which are obviously automated. This means that a given IP address can only "see" a finite number of email addresses per unit time.

      Add blacklisting and you have reasonably restricted email addresses.

      The server could also serve up and create temporary proxies which could later be identified.

      For example:

      Your emaail is Bob@OpenStuff.com

      The server says your email is peter23343@Safeemail.com - which of course forwards to you with a memo as to exactly where where and to whom (ip Address) the email was displayed.

      AIK

  3. Yes by innerlimit · · Score: 4, Informative

    Set up an account to only receive mails from the lists you joined. Junk everything else.

    --
    The Awful Truth
    1. Re:Yes by cwis42 · · Score: 1

      How convenient when someone on the list wants to talk to you privately.

    2. Re:Yes by tzanger · · Score: 1

      I use the same old trick for anywhere I have to use my email address: qmail-aliases.

      With qmail (and probably postfix, haven't checked), user-alias@domain will resolve to user@domain automatically and without any additional configuration. So for example myname@domain is my "real" account. myname-sd@domain is for slashdot, myname-kde@ is for kde's lists, myname-vexi@ is for the Vexi development lists, etc., etc., etc.

      When the spam starts coming in you can check where it came from easily and either change the alias to continue getting email from that source or simply add an explicit .qmail-myname-alias file which nullroutes the spam. People who want to email me directly email the myname-alias@ and I still get it -- no problem.

    3. Re:Yes by ShdwStkr · · Score: 1

      Postfix too, yes. '+' is the default delimiter.

      -j

    4. Re:Yes by walt-sjc · · Score: 3, Interesting

      This is what an obscured email address in your signature is for. See RFC 1855 section 3.1.1.

      The parent is 100% right. At this point, it's nuts not to use a restricted email address for mailing lists since so many are archived in various places, and it's well known that spammers crawl these archives for addresses. Some mailing lists are archived on hundreds or even thousands of web sites.

      Another option is time-expiring addresses. I do this for usenet since there are no subscription issues. I change addresses every month, and they last for 2, giving a reasonable working time. Again - obscured real address in the sig.

      These schemes obviously work best when you control your own domain as you can have custom bounce messages and such. I actually use several domains for different things (and host accounts for family and friends...)

    5. Re:Yes by walt-sjc · · Score: 2, Insightful

      It's amazing how many web forms will not accept the plus character in emails. I actually prefer NOT to use that trick, as deleting everything after the plus gives your real address. I prefer to just create an alias instead.

    6. Re:Yes by eugene+ts+wong · · Score: 1

      Do you give out your phone number to everyone, just in case they want to phone you, & don't have Internet access? Quit acting like this is the 1990s. It's not as if someone is obligated to sift through 100s of spam a day, just in case a complete stranger wants to contact him. If he has questions, then it should be directed to the list or to people who want to give out email addresses.

      --
      testing out my trending skills
    7. Re:Yes by Prior+Restraint · · Score: 1

      At this point, it's nuts not to use a restricted email address for mailing lists...

      That fine and dandy, but what about my situation? I contributed very small patches (<20 lines each) to a couple of projects last year, and now my email address appears in Changelogs which someone has thoughtfully put up on the Web for Google to index.

    8. Re:Yes by walt-sjc · · Score: 1

      That's unfortunate. Thanks for pointing out this situation, I didn't think of that. Sounds like people need to use throwaway's / special addresses for this kind of thing too. Damn.

      While I detest challenge response systems, they are looking better and better as the spam problem gets worse.

  4. use multiple disposable email addresses by lanroth · · Score: 5, Informative
    Years ago I setup a Freeserve account which allows me to receive email to anything@myaccountname.freeserve.co.uk

    Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk

    The good part: when I start getting spam to a particular address I just setup a filter that sends all mail to that address to /dev/null It also lets you know where your email address was harvested from. So when I get spam turning up on slashdot.org@myaccountname.freeserve.co.uk I know it was slashdot who sold my email address to the evil spammers ;-)

    If I want to receive mail from slashdot again I just change my email on slashdot to slashdot.org2@myaccountname.freeserve.co.uk

    Interestingly most of the spam I get comes in to the email address ebay.co.uk@myaccountname.freeserve.co.uk

    This has worked very well for me for several years.

    1. Re:use multiple disposable email addresses by Weh · · Score: 1

      Sneakemail works similar in some respects although the email addressess they give you aren't as nice. One advantage is that they forward email to your real address.

    2. Re:use multiple disposable email addresses by elmegil · · Score: 1

      Some domain hosters provide the same service, through whatever means they might care to use. In particular, I use mydomain, but I'm sure they're not the only ones. This way I don't have to host my own anything, maintain the email service, etc., and anything@whatevermydomainis.com gets forwarded to my real email account, and I can filter out the spammers easily by giving every website or whatever a unique name linked to who they are.

      --
      7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
    3. Re:use multiple disposable email addresses by CritterNYC · · Score: 3, Informative

      Years ago I setup a Freeserve account which allows me to receive email to anything@myaccountname.freeserve.co.uk

      Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk

      This will work great... right up until the point that your domain is subject to a dictionary attack by a spammer. You'll suddenly see your spam load go through the roof. And you won't be able to setup filters for each new iteration fast enough. And if it's your own server or you pay for bandwidth, your costs just keep rising.

      You're better off creating real aliases for each new account and letting the server respond with a 550 invalid user for all others.

      If you haven't been dictionary attacked yet... just wait... it'll happen... sooner or later.

      --
      Portable versions of Firefox, GIMP, LibreOffice, etc
    4. Re:use multiple disposable email addresses by Atrahasis · · Score: 1

      He could just operate under a whitelist - every address gets blocked unless its specifically allowed. If you're just throwing an address into say, a website for registration, no need to whitelist it, but anything important or known to be secure is whitelisted.

      --

      Games Workshop Petition

  5. There is a solution in the works... by bdan · · Score: 3, Insightful

    GMail. :-)

    1. Re:There is a solution in the works... by Anonymous Coward · · Score: 0

      Lets see, suggest a free email system that offers LESS spam, and this gets modded up as insightful?

      Oh, I get it, Tuesday must be "Free crack for /. moderators" day.

  6. Is this the real source of the spam by BongoBonga · · Score: 1


    I find it difficult to believe that the spam that you are receiving is as a result of your email address being on a list associated with an oss project.

    My email address is openly available on numerious mailing lists and publications, and I also administer a small sports club website in which my personal email address has been visiable for years. During that time I have constantly used the same email address. But to date I only receive about one or two spam mails per week. It may be that my experience is unusual, but I highly doubt that your experience with spam can be attributed to your email address being published through the open source project that you were involved in.

    1. Re:Is this the real source of the spam by OhHellWithIt · · Score: 1

      It's been interesting to me that I have a special "spam" email address that I use on mailing lists and the like, and I don't get much spam on it. In fact, I think I'm getting about as much from my regular email address, which never sees the light of day on a mailing list.

      OTOH, the email address I used to have with a major ISP became a target for dozens of spam emails each day, perhaps because the ISP was targeted and because I have a common surname. Now that I have my own domain name, I get very little.

      I think that the key to avoiding spam is to give oneself an address like nospam@yourdomain.com. Any spammer worth his salt is going to skip the nospam email addresses.

      --
      "Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
    2. Re:Is this the real source of the spam by TheCabal · · Score: 1

      Believe it dude. My work address was totally spam-free until I happened to post to Bugtraq *ONCE*.

      After that, I'm getting upwards of 10 spams a day. Just because someone is on an OSS project doesn't make them immune from getting harvested and spammed to death.

    3. Re:Is this the real source of the spam by dododge · · Score: 1
      My work address was totally spam-free until I happened to post to Bugtraq *ONCE*.

      After that, I'm getting upwards of 10 spams a day.

      I had a nearly clean mailbox. Then I posted one message to linux-kernel. At least 40 viruses showed up in my inbox within the first 24 hours.

  7. No real cure to this problem by forged · · Score: 4, Interesting
    I'm in exactly in the same situation for having participated to one OSS project as a brief contributor. Searching either on my name or on my email address will turn up dozen of ChangeLog entries listing my email address.

    Worse than that, my name and email also appear on one OSS project's discussion board, in full and with really akeward comments from 1997 or so... Kind of embarassing to read them now, especially with potential clients googling anybody's identities 8-)

    I don't otherwise sign up my primary email address to any lists of sorts, and I use fake names when signing up for non-essential things; I also use disposable webmail addresses and vanity domains for that purpose. I only clean-up web accounts accounts prior to expecting some sort of comfirmation email, after which the account goes back to the abandoned, spammed-to-death status for another while.

    1. Re:No real cure to this problem by Monkelectric · · Score: 1

      Me to, in 2000 before spam was even really a issue I participated in a few OSS projects. Now I'm pounded by 300 - 500 messages a day :(

      --

      Religion is a gateway psychosis. -- Dave Foley

    2. Re:No real cure to this problem by lphuberdeau · · Score: 1

      Server-side (Spam Assassin) filtering and mozilla-mail ends up cleaning most of my spam. I used to care about which email adress I entered at different places to avoid spam. Right now, with over 100 spams a day, I just don't care. I just make sure it gets well filtered and it solves all problems.

      --
      Qui ne va pas à la chasse n'a pas de gibier
      PHP Queb
  8. This is very true by lonely · · Score: 1

    Hi,

    Nearly all of the SPAM email to am email address that I kept hidden for this reason come from a one line change I submitted to JRefactor for context menus on the mac. But still at least I got some credit for it! :-)

  9. Don't blame OSS, please! by ptaff · · Score: 2, Insightful
    I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"


    OSS or not, you should. There is no link between OSS and spam, but there is between mailing lists and spam.

    There is not (yet) a way to make sure obfuscated e-mail addresses don't get caught by robots, so as a good habit I'd suggest you use disposable E-mail addresses every time your mail will be available on the web.

    1. Re:Don't blame OSS, please! by Mr.+Piddle · · Score: 1

      I'd suggest you use disposable E-mail addresses every time your mail will be available on the web.

      They don't necessarily need be disposible, just separate. It's like having two phone lines, where one is unlisted and only for family and friends. The other phone line can get caller ID and an answering machine for screening.

      --
      Vote in November. You won't regret it.
  10. Spamgourmet by Justin+Ames · · Score: 4, Informative

    use a spamgourmet.com address for anything that may ever become public. It's free, and after a specicified number of emails it blocks the address. You just sign up, and everytime you give out an email, you make up on the spot a keyword.numberofemails.username@spamgourmet.com email address, and spam gourmet automatically blocks after that number, you can then allow trusted domains through forever if you want.

    1. Re:Spamgourmet by pancakeunicorn · · Score: 3, Informative

      I second the recommendation. Excellent service.

      The same user name is good for multiple domains as well, i.e., slashdot.4.johndoe@spamgourmet.com would be interchangeable with slashdot.4.johndoe@neverbox.com. I don't remember the other domains off hand.

      If you don't like making a different address for each use, despammed.com has an effective filter and you can opt to forward it on to another address.

    2. Re:Spamgourmet by nhaze · · Score: 1

      I third this recommendation. It is also fun to monitor what companies sell you out and to whom. Since each address has a unique label you can watch who starts spamming it. And of course it then self destructs after it reaches the threshold and then no more spam.

      Although it is just a matter of time until spammers start extractng spamgourmet.com addies and then create their own randomkeyword.99999.yourusername@. Then you still have the option to block specific senders, but it would start getting too troublesome to even bother.

  11. Recent spam by Andy+Smith · · Score: 1

    Spam has gone crazy for me in the last few days. I've gone from 600+ every day, a figure I've been approaching gradually over the last couple of years, to well over 1,000 per day this week.

    I've also noticed that I get blocks of maybe a dozen of the same three or four spams, and while the 40+ Kb ones are still arriving they've been joined by dozens of 100+ Kb ones.

    I use Mailwasher and frankly it's a joke nowadays. Easily 50% of my legitimate mails are flagged as spam because of blacklisting, and 100+ spams per day are listed as legitimate. So I still need to check through every single mail apart from the ones that I have manually flagged by filters.

    Does anyone know why there might have been such a dramatic increase in spam this last week?

    And can anyone recommend a better anti-spam solution? I'm using Eudora on Windows so some of the more advanced (and presumably more reliable) solutions are either unsuitable or unavailable.

    I run a web site commercially and after putting it off for months I'm getting to the point that my only realistic option is to start using web-based customer support. I dislike web-based support but the risk of erroneously deleting legitimate customer e-mails is simply too high now.

    1. Re:Recent spam by tzanger · · Score: 1

      Set up your mail server to use SpamAssassin (can be painlessly hooked in through fetchmail) -- this has given me very little problem, I'd say maybe one false positive in over 10000 (ten thousand) emails or more. The trick is not ot have it too agressive and to use the bayesian filtering and to continuously train it as the spam patterns (and ham patterns) change.

      The far bigger trick though is to use a couple of blacklists. I use cbl.abuseat.org and rbldns-list.dsbl.org's blacklists -- combined with rblsmtpd they turn away the vast majority of spam at the door (legitimate users get a bounce from THEIR SMTP server, not mine), and then SA handles whatever gets through. I am very pleased with this solution. I run it for an entire domain with lots of sales critters who sign up to all kinds of legitimate but spammy-looking lists and as I said, with some Bayesian filter training it works great.

      To train it I just have two additional folders in my MUA -- AASpam and AAClean -- whenever spam comes through I toss it into AASpam, and then every so often I'll take a whack of regular mail (and especially whenever I get a spammy but legit email) and copy them into AAClean. Then once a week or so I'll save those folders and train SA with them. Easy enough instructions for the sales critters and it's nonintrusive.

      If you're dead-set against doing it on your MTA, I believe SA has commercial products too for your Win32 box.

    2. Re:Recent spam by InsomniaCity · · Score: 1

      I recommend Mozilla Thunderbird, as it has good, integrated spam filtering, and it runs on Windows!


      I have to say, I think web-based customer support is better, when tied together with email notifications to the customer. You can present your corporate image, as well as upsell advertising, and enable them to see precisely what is happening with their ticket.

      --
      You cant make anything foolproof, they'll only invent better fools.
    3. Re:Recent spam by natmsincome.com · · Score: 1

      The two best solutions I know of (if you don't own the server) are Spamarrest and POPFile.

      Both get rid of spam very differently but I've gotten about 99.8% acuracy with both (for different people)

      SpamArrest uses "Challenge/Response" which is annoying if you have lots of new people email you but if it's mainly old email addresses it's great.

      If you don't want to pay anything then POPFile is for you. It uses Bayesian filtering which basically means it learns what you think spam is. That means it might take a couple of weeks to train it but then it's great. As spam changes so does it (retraining). The only things it's gets wrong for me are things like newsletters (or good spam for lack of a better name).

      Anyway good luck.

    4. Re:Recent spam by phaze3000 · · Score: 2, Interesting
      That's the same Spamarrest which sends spam right?

      I'd stay well clear..

      --
      Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
    5. Re:Recent spam by brienv · · Score: 1

      I work for a company that provides a very good anti-spam gateway service that you might want to check out. You basically just point your mail domain to our filtering servers, which filter (quarantine) out the junk and then forward the rest to your original mailserver. The block rate is around 98% and the false positive rate is close to zero. The cost is less than $2.00/user/month but if you e-mail me at brien1@redcondor.com I might be able to get you setup for less.

      Best of luck,
      Brien

      I would have sent this via e-mail but your address isn't listed in your profile. Gee, I wonder why? :-)

    6. Re:Recent spam by wimvds · · Score: 1

      I use both POPFile (at home) and SpamBayes (at work). They both work like a charm...

  12. I'm on a few lists by Apreche · · Score: 2, Insightful

    I'm on quite a few mailing lists, and I get almost no spam. In fact, I get such a small amount of spam that I use the thunderbird filter to get rid of non-spam e-mails that I just don't want. The miniscule amount of spam that I do get is filtered 99% perfectly.

    I don't know what everyone else is doing that is bringing them so much spam. If you play your cards right and use a filter it really isn't a problem anymore.

    --
    The GeekNights podcast is going strong. Listen!
    1. Re:I'm on a few lists by Sheriff+Fatman · · Score: 1

      "I don't know what everyone else is doing that is bringing them so much spam."

      It's called "being unlucky" - and believe me, we're not doing it on purpose...

      --
      -- Open Source: It's mad, but you don't have to work here to help.
  13. "disposable email accounts for every list" by Gaima · · Score: 1

    Yes.

    Doesn't matter what the list admin does to the web archives created, it won't stop other people creating web archives.
    Many people on the gentoo lists have complained about getting bararged by spam and viruses soon after signing up and posting, yet Gentoo don't create any web archive!

    1. Re:"disposable email accounts for every list" by eugene+ts+wong · · Score: 1

      This is just a thought off the top of my head. Maybe the spammers sign up for a mailing list manually, & then direct all incoming email to an address harvestor.

      --
      testing out my trending skills
  14. False sense of security by Genom · · Score: 4, Insightful

    If you use your email address for *anything*, you'll eventually get on a spammer's list.

    Send only to friends and family? Whoops -- your cousin Jane just sent you an e-card for your b-day. Guess what? The e-card company now has your address on a list (which will eventually be sold, resold, etc...).

    Mom just sent you (and everyone else in her addressbook, and whatever addresses were on it to begin with) a copy of a chain letter! Guess what? One of those email addresses went to someone who's making a list!

    Uncle Jim just got infected with the latest/greatest worm! Guess what? In addition to getting spammed "from" his address, you've most likely ended up on yet another list!

    Posted to a public mailing list? Yep - you're on a list. Doesn't matter if it was Harvester 1.0 or the new and improved Harvester 3.5.2b, you're on the list.

    See, no matter what you do, no matter how closely you guard that email address - if you actually intend it to be used, it's eventually going to get on a spammer's list. And once you're on one list, you mightaswell be on them all (as spammers sell their lists to each other, or collect & trade, etc...)

    Munging the address in a public archive does really only one thing: Prevent legitimate contact. Remember: If a human can decypher the email address, so can a harvester. Simple string replacement is easily coded around. "Coding" your email address only works until the harvesters have translation tables. Munging them severely makes it incredibly hard for an actual human to use your address. In short, you're spiting the forest for the trees.

    Looking at my personal mail stats, I get roughly 90% spam on any given day. Most of it's not even in english (and although I can understand a bit of spoken Japanese, I certainly can't read it, let alone the vast ammount of Korean spam I receive). Sure, it sucks. But what can I do?

    Well, for starters I filter on the server-side. SpamAssassin is the first line of defense. After training up the bayesian side of things, it catches roughly 90% of the spam I receive.

    Second stage is a set of basic "sanity test" filters. Is it from someone I actually know (and is therefore whitelisted)? Is it actually "To" or "Cc" to a legitimate email address of mine? Attachments of known bad types? Headers added by known bulk-mailers? What does ClamAV have to say about it? (Yes, I started building this filter before I discovered SpamAssassin, so there's a bit of overlap) This weeds out around 50% of the remaining spam I get (5% of the total).

    Third stage is Mozilla Thunderbird's bayesian filter, which once trained does a suprisingly good job of catching things that make it through the first two stages. I get about 1 or 2 a week that pass through all three stages - these get fed to both bayesian filters to be learned. The system isn't perfect, but it seems to work OK, until something better comes along. And anyone who needs to contact me can.

    The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.

    So, should we munge all email addresses beyond recognition in order to "stop" spam? I'd have to say no - as it prevents legitimate users from emailing you. Should we be extremely careful *who* we give our email addresses to, and *what* address we give out to them? Absolutely. Should we complain, *loudly* to companies whom we can catch selling our addresses to spammers, or worse, spamming us themselves. Absolutely.

    Just my $.02.

    1. Re:False sense of security by Maestro4k · · Score: 2, Informative
      • The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.
      For those that don't have their own domain or ability to create new E-mail addresses at will, check out Spam Gourmet. It allows you to create disposable E-mail addresses on the fly. You can tell it how many E-mails will be allowed at that address (from 1 to 20). Once that many are received the address expires. Part of the brilliance of it is that when an address expires it doesn't start bouncing, any E-mail to it just gets /dev/nulled. Spam Gourmet does track how many E-mails get eaten so you can see how badly the spammers THINK they are spamming that address. It's much fun to check and see you've missed out on hundreds or thousands of spam mails.

      There's more to it than that for those willing to dig into the advanced options. You can add trusted senders so if you're on a mailing list in archive form, you can use a disposable E-mail for it. None of the trusted sender's E-mails lower the counter of remaining E-mails to that address, and they will continue to get through to you even after the address has dropped to 0 remaining. You can set it up so the E-mails it forwards to you are ready for you to reply through Spam Gourmet, masking you real address so it looks like it came from the disposable one. You can also go in and adjust the remaining E-mails left on an address, both up and down.

      Since I started using it I've had less spam problems, and I can tell you every company that sells my address. It's a great service and totally free!

    2. Re:False sense of security by ErrataMatrix · · Score: 1

      It's always good to have at least 2 accounts, agreed as I've been reading replies I haven't come across anyone sugesting greylisting http://projects.puremagic.com/greylisting/ I came across this process when my account @ http://www.ezrs.com starting using it. Seems like an excellent unabtrusive idea. So far I have received no SPAM since they started using it. It basically relies on the fact that most spammers will just send the message once and don't look for mail bounces and all legitimate mail will look for a mail bounce and try to resend the email at a later time. This delays my mail sometimes but I don't spend any time reading or deleting SPAM (so far until the spammers figure out a way to bypass this that is cost effective) and I maintain a second mail address for very urgent mail Does anyone else have any experience with greylisting? Ways to implement it on linux systems?

    3. Re:False sense of security by zarthon · · Score: 1

      That has been my experience. No matter what you do you get email spam. From your argument it clearly follows Fear Of Spam is not a good reason to avoid, contributing to oss or online discussions. : ) Can you also conclude that Email is a horrible anachronistic kluge and must be fixed ?

    4. Re:False sense of security by slashdot_commentator · · Score: 1


      Its swell that you are able to get rid of so many spammails, but to me, my real concern is eliminating false positives. What do you do to ensure that "valid" emails aren't thrown out with the spam?

      --
      There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
    5. Re:False sense of security by Master_Wu · · Score: 1

      You forgot to mention training cousin Jane, uncle Jim, and Mom to NOT do those things. It's a tough battle, I know, but we have to try. Also, somebody, somewhere is actually buying the damn stuff, not that I've ever met anyone who has. How do we find and train those people to not purchase through spammers? I don't have that answer, but I'm working on it.

      --
      Wine, music and cinema are the three great creations of humanity. -T'Ian Han
  15. two options by jamesh · · Score: 1

    1. change email accounts very regularly
    2. keep the same email account and filter spam

    #1 is a pain as you have to keep updating contacts to your new email address. (spammers seem to have no trouble finding it)

    #2 also involves ongoing effort. Every new thing I do to stop spammers seems to be great for the first few weeks (no spam gets through), then one, then one or two. It still filters out 99% though.

    Remember though, for every spammer you shoot, there are 5 more ready to step up to take their place!

  16. I don't care by dimss · · Score: 1

    Google and friends show my address in many maillist and FIDO archives for last four or five years. There's 200+ mail users in our domain. I receive more spam and viruses than anyone else.

    There's no reason to hide my email anymore. I receive lots of spam anyway. Simple procmail rules stop 90% of it:

    :0
    * ^Received: from (solutions.lv|194.8.5.86)
    Shit/

    :0
    * ^Content-Type:.*text/html
    Shit/

    :0
    * with E?SMTP
    * ^Message-ID:.*mailserver.solutions.lv
    Shit/

    :0
    * ^Content-Type:.*multipart
    {
    :0 B
    *! ^Content-Type:.*text/plain
    Shit/
    }

    :0
    *! ^To:.*dimss@solutions.lv
    NotToMe/
  17. You Think You've Got Problems by Markus+Registrada · · Score: 1
    What about me? I get 70+ MB of viruses every day, apparently because some virus writer decided to target people on the Gcc development lists. Besides our bombardment with the viruses, everybody else who gets the viruses sees our addresses in the return address.

    I use nkvir-rc under procmail to filter them, which leaves only a few dozen bounce messages per day from sites that got viruses with my return address on them. I have amended nkvir-rc to work properly with Maildir-style mailboxes. (Probably the next released version will have these improvements.)

  18. Which is why by Anonymous Coward · · Score: 2, Interesting

    I use one obviously false handle to refer to myself with folks who don't already know me (or in an online context with those who do). If I ever decide to claim something, I can provide proof (witnesses, records on my machine, passwords to log into accounts under that handle) that I am that person; otherwise, I retain my anonymity.

    It's not perfect; you could still trace it to me, or steal the handle if you were so inclined. But a google for that handle won't link it to me - I've checked for that.

    1. Re:Which is why by justMichael · · Score: 1

      Apparently you are very active online, I see your handle (Anonymous Coward) all over the place ;)

  19. and bug reports too by dwoolridge · · Score: 1

    It goes without saying the same thing happens with list archives, where one might participate in OSS-related discussion. However, as per my journal entry, submitting a bug report gives similar results. So now, I don't submit bugs where I don't have control over my email address.

  20. Easy by rainer_d · · Score: 1

    Move your domain or account to a real provider who does:

    - virus-checking (I don't have to wade through almost 600 viruses per month just by using clamav on the server)
    - RBL'ing of all the open proxies, open relays and dynamic IP-address-space (~5000 "hits" per month for me - potential spam that never even enters my server)
    - and filter the rest of mail via Spamassassin

    This way, I get only 5-10 spams per day or so and most of it is pre-filtered into my Spam-folder on the server.
    The rest is collected by mozilla, mostly and moved into the "spam-train"-folder, where sa-learn will take it from time to time.

    That doesn't do anything about the bounces, but it improves the situation very, very much.
    Since I've done that, email is (almost) just like it used to be in 1995.

    Rainer

    --
    Windows 2000 - from the guys who brought us edlin
  21. New "Mail Returned" tactic by onehairyleg · · Score: 3, Interesting

    I've been using SpamAssasin that my mail ISP(ASP) provides me with - and it seemed to be working really well. I trust it so much that anything now goes to /dev/null - however - it all seems to have broken down with what appears to be a new improved spam attack: Over the last week or two I've been getting 50+ mails a day that appear as "Mail returned" messages where they are obvisouly bouncing mail back to me - often using random_username@mydomain.com as the fake from address which then hits my postmaster@mydomain.com and is forwarded to me.

    This is a major PITA, as whilst I now filter these too it makes it more difficult to see when _my_ real legitimate mail didn't make it somewhere because of a problem.

    How long can the spam filters hold all this back !

  22. Use TMDA by terrencefw · · Score: 1
    I use TMDA to filter incoming messages, and tag outgoing ones.

    I sign up to mailing lists using listname@mydomain.com, then use TMDA to:

    • Rewrite the From: address to the one the list knows about, eg: gentoo@jamesholden.net
    • Generate a time-limited address for the Reply-To: header, which only works for a week.
    This means that I never post to the list from the wrong address, and people on the list can reply to me without being issued a challenge/response mail.

    Actual list traffic is sorted into a folder based on the List-ID: header.

    --
    Like tinyurl, but one letter less! http://qurl.co.uk/
  23. Worms are the bane of my existence by milgr · · Score: 1

    Until this year, I was lucky enough to have never received an email based worm. I have participated in an OSS project, and my email address is in the code and on a mailing list.

    Starting this year I started receiving emails to my OSS address, and variations on that address (as anything@me.domain will be delivered to me).

    I turned on virus protection at my email provider. That left me with 100 bogus bounced emails a day, mostly to unused email addresses.

    I set up rules to reject email sent to common-names@me.domain. That eliminated most of the viruses and bounces.

    I also received my first spam to my oss email address. I suspect it is from a spammer recieving worm email with my oss address (which my be in other people's legitimate address books).

    Lastly, my machines run Linux, so they didn't execute the worm.

    --
    Where law ends, tyranny begins -- William Pitt
  24. In a word - Yes by kalidasa · · Score: 1

    Must I set up disposable email accounts for every list?"

    Actually, what I do is have a single disposable email account for all lists, and change it regularly. I suspect that some spammers (probably those who troll WHOIS records) are getting wise to that and starting to email to random@domain.tld (where random is someone's name).

    1. Re:In a word - Yes by Anonymous Coward · · Score: 0

      You are correct. I've had a lot of such messages recently.

  25. SF.net by EduardoFonseca · · Score: 1

    I've never had any problems with sourceforge.net. They listserv modification successfully obscures my e-mail on the list archives.

    But, please, don't blame OSS.

  26. Get a good spam filter by iroberts · · Score: 1

    I used to try being as anonymous as possible, because, like the poster, I did not want to face the wrath of the spam monster. However, when my work address, which was on published aliases, started getting hunted in earnest by the spam monster, I was finally forced to look into Baysian filters (I chose spamprobe, but there are plenty of other good ones as well). The pleasant surprise was that they work extremely well. So well, in fact, that I've really just stopped worrying about how many spammers get my email address. It's not that the monster is gone, but it is trapped in soundproof box in another room that I never go into. Silly monster.

  27. Yep, that's disuaded me from posting too... by Spoing · · Score: 1
    I've not joined some groups specifically because of this problem. Getting 400-500 spams a day is a pain, even if only a couple come through the filters.

    Slashdot example: I used to have a visible mail account posted here at /.

    I quickly turned that off, though to this day 10% of my spam is to that account, so I've placed it in the /dev/null filter. I've not used it in 4 or more years.

    The sad thing is that I did initially get some on-topic private emails...no more.

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  28. Re:thats not what im worried about! by rbolkey · · Score: 1

    which obviously beckons ... you have your own website and you expect it to show that you're not a geek?

  29. get a better email client. by Anonymous Coward · · Score: 0

    Thunderbird eats spam.

  30. TMDA and other challenge response mechanisms... by rthille · · Score: 1

    I use TMDA (Tagged Message Delivery Agent http://tmda.net ) which lets me generate addresses which only accept mail either for a limited time or from certain domains/addresses. It'll auto maintain a whitelist, and you can have a blacklist. If mail comes in to an address which has 'expired' or which is from the 'wrong' sender, you can decide whether to drop the email, or send a 'challenge', which if the sender replies to, you receive the email.
    The only problem with C/R mechanisms like this (besides the ~3x bandwidth :-) is when someone is 'joe-jobbed' and they receive challenges in addition to all the bounces and the 'hey ass, why'd you spam me' emails. Hopefully people will really start to implement 'SPF' http://spf.pobox.com/ soon.

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  31. Sue Spammers List by waldoj · · Score: 1

    I used to be a subscriber to the Sue Spammers mailing list, for folks interested in taking legal action against spammers. I unsubscribed after a month or so, when I found the list archives were public, with exposed e-mail addresses, including my own. Red flag, bull, etc.

    WTF?

    -Waldo Jaquith

  32. The answer is yes. by /dev/trash · · Score: 2, Informative

    Go to Sneakemail and sign up. It makes life so much easier.

  33. dodgeit by phildog · · Score: 1

    you can use all the disposable addresses you want at dodgeit. Just fill in #3 for me if you get a chance :-)

    1. create disposable email service
    2. give it away for free
    3. ???
    4. profit!

    --
    slashsearch.org - slashdot search. powered by google.
  34. solution by Bad+Boy+Marty · · Score: 1

    Alas, the 1st step is to allocate temporary email addresses for everything you participate in outside of your own domain.

    The 2nd step should be public evisceration of anyone who sells an email address, or sends email to a purchased email address -- preferably after having been administered enough stimulants that they are unable to lose consciousness until they lose life.

    And, yes, that is my tempered, reasoned response. You should see my knee-jerk response....

    --
    RHCE; are you certified? Karma: ambiguous.
  35. Re:thats not what im worried about! by SkunkPussy · · Score: 1

    > which obviously beckons ... you have your own website and you expect it to show that you're not a geek?

    and I've got about 5 domain names I don't need......and?!

    --
    SURELY NOT!!!!!
  36. Run your own mail server! by uslinux.net · · Score: 3, Informative

    One more reason why running your own mailserver is the way to go. Sendmail, for instance, easily supports virtual user tables (virtusertable) - aliases, basically. Use a rule like:

    USERNAME+%2@yourdomain.com USERNAME

    Which will deliver all mail in the form of bob+amazon@hisdomain.com to bob@hisdomain.com. Use a different name on each site, but you don't need to create aliases for each user. When you start getting spam to that address, just add a line *before* the one above of

    USERNAME+SOMESITE@yourdomain.com error:nouser User has been removed because of SPAM

    I only wish I had started doing this before my primary addresses had been harvested :-(

    1. Re:Run your own mail server! by Piquan · · Score: 1

      USERNAME+%2@yourdomain.com USERNAME

      You don't need this rule. Sendmail defaults to routing foo+bar to foo, unless there's a rule specifically to handle foo+bar.

  37. How I've avoided spam... by Samrobb · · Score: 3, Interesting

    This is entirely by accident, but I've talked to others who have done the same thing, and they've reported similar results.

    About 2 years ago, my wife and I set up our own mail server in-house. While we set up the normal "service@domain" addresses for various things, I also had her create a "spam@ourdomain" address for me - something I could use as a generic address for one-time registration pages, that sort of thing. I've been using my "spam@" address pretty regularly since it's been created. More so as time wore on, when something became pretty apparent:

    I was getting almost no spam directed to that address.

    Now, I've used that address in a number of places, including on Usenet. I get (perhaps) one or two prices of spam per month. The only thing I can figure is that spammers, or folks putting together mailing lists for spammers, have decided that "spam@" just isn't worth sending email to. Maybe I've just been lucky; maybe my "spam@" address will be inundated with spam tomorrow morning. I don't know. I do know that it's worked well enough for me that if I ever end up managing a mail server for another domain, I'm going to make sure that I have a "spam@" address there as well.

    --
    "Great men are not always wise: neither do the aged understand judgement." Job 32:9
    1. Re:How I've avoided spam... by bmsleight · · Score: 2, Interesting
      I can only agree. I have been using me.spam@domain.tld for a few months now. The amount of spam has gone down.

      Most people when replying will not even look at the actual email address. They will also be the people most likely to have my email address harvested, (virus, chain mail). The power users will ask or drop the .spam part.

      The evil spammers, AFAIK just drop all address containing spam, as logical speaking if you have offuscated your email address your not going to respond to a spam and/or your going to report the spammers IP. It works a bit like a double bluff.

  38. Spam evolution by Brandybuck · · Score: 1

    Slightly off topic, but the discussions here made a light bulb go off in my head...

    We, the people fighting spam, might be making stuff worse for ourselves. Super bacteria that are resistant to antibiotics came about as a result of an overuse of antibiotics. Are we doing the same thing to spam? Are we inadvertently accelerating the evolution of spam technology?

    Maybe instead of using ever more complex filters and other anti-spam techniques, we should alter our approach to spam before we completely lose the ability to send email that won't get lost in the deluge of junk. No matter what kind of filter we throw up the spammers will respond with stuff that gets around it. Spammers aren't stupid. Do we think they don't have access to the same filters we do?

    The alternative is two-fold. First, we have to accept that a certain amount of spam in our inboxes is inevitable. Throwing sophisticated filters at every possible filter point only accelerates spam evolution.

    Second, we have to take the fight against spam out of the arena of technology and into the real world. Sue the spammers! Lobby for laws prohibiting spam. Don't accept "legal" spam from politicians. Find out who the spammers are and hold them up to public ridicule. In a similar manner ridicule those who respond to spam. Yada, yada, yada.

    --
    Don't blame me, I didn't vote for either of them!
    1. Re:Spam evolution by Anonymous Coward · · Score: 0

      You've hit on the answer.

      Just like in NYC if everyone flushes the crapper at the same time, the tunnels flood, eveyone should answer his/her spam. ALL THE TIME.

      Instead of Baysian filters to block it, Baysian auto-responders to answer back.

      Then the companies that use spam to advertise, would get buried in replies. Something they are counting on never happening.

    2. Re:Spam evolution by zarthon · · Score: 1

      I agree. Some spam will get through. I just delete it or mark it for spam training... depending on whats available. I believe that it is possible to thrwart the efforts of email spammers. For example many search engines do a good job with webspam and they deal with much larger datasets. Depending what you use email for and how much time you spend using it, each person has to strike a balance between training the filters and getting a bit o spam. Large internet service providers are making an effort to block a bulk of identical messages from being sent. My objective is to not waste time or money. ...Sue? Errrrrer? no. Write a letter to congress? ...I want to *save* time. I also don't want to set prescidents making internet controling laws. Cheers + + + + + +

    3. Re:Spam evolution by Brandybuck · · Score: 1

      I get about 150 spams a day at work. These are merely being marked as spam and sent on to the clients, because we still have not found a filter that never classifies any client email as spam. Since I get this spam in such huge volumes, I tend to notice some trends. About ten spams a day get through without being marked. Spammers learn and next week whatever trick those spams used will be used by all the spammers. Then the filters catch up. Then the spams catch up. Then the filters catch up. Then the spams catch up. Ad infinitum. Never ending.

      Filtering is not getting rid of the spam! All filtering does is get rid of the stupid spammers that aren't using this week's spam technique.

      It's like using a virus scanner that only detects known viruses. Oh wait...

      --
      Don't blame me, I didn't vote for either of them!
    4. Re:Spam evolution by morningstar8 · · Score: 1

      As it turns out, *no* spammer has the same filter I do. I use Bayesian filters; in particular, Thunderbird for recreational use, and Outlook with SpamBayes for professional use. What I consider as spam is different from what anybody else considers as spam, so my filter is different from anybody else's.

    5. Re:Spam evolution by Brandybuck · · Score: 1

      You're also filtering on the client, which isn't doing anything to stop the bandwidth clog.

      --
      Don't blame me, I didn't vote for either of them!
  39. Can't always run your own server by Shurhaian · · Score: 1

    Doesn't always work. My ISP(Cogeco cable) doesn't allow inbound SMTP connections to its users.

    The only other high-speed residential option is Bell's DSL, which has other issues(such as not being terribly high-speed). A regional ISP does offer residential DSL, but not to my particular area.

    And I'm not a business, I've got a limited budget, so I can't afford something more expensive like a business connection. Always-on Internet is an expense I'm willing to deal with, but not by much.

    --
    NB: YMMV. IANAL. Take the above with a grain of salt.
  40. SpamBayes for Outlook by morningstar8 · · Score: 1

    If you find yourself forced to use Outlook (Look out!) for whatever reason, you might want to try using SpamBayes for Bayesian spam filtering. I actually like it better than Thunderbird's filtering. It dumps mail into three buckets: spam, ham, and not sure. I've been using it for one of my accounts for a number of months now, and I haven't seen spam in my ham bucket since about a week after I started using it. The "not sure" bucket is innovative; it allows a third option for e-mails that the filter isn't sure about. I get about 5 e-mails a week in the "not sure" bucket; they're about half ham, half spam.

    I use Thunderbird at home. Its built-in Bayesian filter is pretty good (though not as good as SpamBayes, in my experience), and because you can view e-mail in Text or Simple HTML mode (as well as full HTML when necessary), you can avoid falling victim to web bugs.

  41. How I avoid spam? by SeregonSandgrain · · Score: 0

    I have two accounts on my mail server. Account A is for personal mail, and Account B for other mail\mailing lists\etc.

    For every person who I want sending me personal e-mail, I set up a redirect (@mydomain.tld) to Account A. If I begin receiving spam on that address, I simply delete it and inform the person. If they want to send me more mail, they can let me know, and I'll set up 2@mydomain.tld. After that, they get one more chance. If they screw that up, I just don't give them my address again.

    For mailing lists or websites, I set up a redirect (slashdotorg@mydomain.tld) to Account B. If I start getting spam there, I delete the redirect. Then I get my shotgun and go 'hunting' =)

    </ASP>

    --
    My User Agent: "Where is the pr0n?"
  42. easiest disposable addresses by sweet+reason · · Score: 1

    the easiest way to set up disposable addresses is to get a (free) account at spamgourmet.com. you can then create addresses on the fly, without having to go to their site. for example, the first 12 messages sent to
    slashdot.12.mbloore@spamgourmet.com will be forwarded to me. any others will get eaten. i don't ever have to go back to the spamgourmet site, but if i do i can do things like see how much mail each of my addresses has received, set up whitelists, and reset counters on existing addresses.

    --
    Everything should be made as simple as possible, but not simpler. -- A.E.
    1. Re:easiest disposable addresses by a24061 · · Score: 1
      If the disposable addresses are created on the fly to a straightforward pattern, what stops an evil spammer from parsing *.*.*@spamgourmet.com addresses and adding, for example, p3n1sgrowth.9999.mbloore@spamgourmet.com to his mailing list?

      You would then have to cancel that subaddress manually, but in the meantime he would have added p3n1sgrowtha.9999.mbloore@spamgourmet.com, p3n1sgrowthb.9999.mbloore@spamgourmet.com, etc.

    2. Re:easiest disposable addresses by Anonymous Coward · · Score: 0
      adding, for example, p3n1sgrowth.9999.mbloore@spamgourmet.com to his mailing list?

      1) 9999 would be interpreted as 20, since there's a maximum of 20 messages at create time
      2) the "advanced mode" options allow you to specify "watchwords" that are used for regex matching before creating an address - you can use regex anchors, etc. to make it unlikely that a permutation of an existing address would work. You can also periodically change the watchword list so that existing published addresses offer no clues as to how to create a new one.

      Of course, this never happens to most accounts, and the where it does happens, the user goes from "no maintenance" to "a little maintenance" -- it's still pretty transparent. Users *could* specify a watchword set that effectively blocks all auto-creates, and then use the web interface to manually create each address that will be used, but at that point the service is on par with other services that make you affirmatively create each address -- fortunately, this approach isn't necessary because of the watchwords.

      I've been using the service vigorously without watchwords for years, and I think I've received two *messages* on new addresses that I didn't expect, and these were probably explained by typographical errors of other users (i.e., accidentally using my username instead of theirs in an address).
    3. Re:easiest disposable addresses by sweet+reason · · Score: 1

      the maximum number allowed is 20, and you can set up "watchwords" that are required to appear in addresses.
      in any case, it doesn't seem likely that spammers will go to a great deal of trouble to spam a few people who have demonstrated their desire to avoid spam. what would it profit them?

      --
      Everything should be made as simple as possible, but not simpler. -- A.E.
  43. Re:thats not what im worried about! by Anonymous Coward · · Score: 0

    Well, with a name like SkunkPussy, I'm suprised that was the worst you found!

  44. TMDA by pongo000 · · Score: 1

    TMDA allows you to specify "keyword" addresses. Simply pick a keyword, and a new e-mail addy is generated. If it gets swamped with spam, put it in your blacklist and get on with life.