Slashdot Mirror
Volunteering for OSS == Sign Up for Spam?
bckspc asks: "I've been getting pounded by spam lately, so did a Google search on my email address to see where it might appear on the Web. To my horror, it turned up several times in an archive of a Gnome listserv for a project I briefly participated in. While the email address is visibly obscured on the Web pages, it is quite intact in the HTML code. I emailed the list admin about obscuring or removing my email address, but was curtly dismissed. I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"
When I searched for my name, it was more the questions i'd answered geekily on some debian list about 4 or 5 years ago that concerned me. theres loads of them! :-)
And the debian lists are very well linked to its been hard for me to pursuade google to give higher priority to my own website, where I can make out I'm not a geek
SURELY NOT!!!!!
Try using simply foss@domain for lists, and them filter ad filter and filter it. I do agree this is very annoying, and although some listservs do respect this and change the email addresses on list servers, this can't be relied apon. I can't choose my participation based on which projects are going to give my email away.
The only solution that will effectively work (until we fix the spam problem all round) is for list admins to be more careful about munging email addresses to some degree.
The default setting for programs such as pipermail should be one where email addresses are not explicitly displayed.
The best solution I've found to solve problems with email addresses online is Jodrell's mailto php script which renders the address obfuscated but displays it correctly in the browser using JavaScript.
http://jodrell.net/projects/mailto
Set up an account to only receive mails from the lists you joined. Junk everything else.
The Awful Truth
Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk
The good part: when I start getting spam to a particular address I just setup a filter that sends all mail to that address to /dev/null
It also lets you know where your email address was harvested from. So when I get spam turning up on slashdot.org@myaccountname.freeserve.co.uk I know it was slashdot who sold my email address to the evil spammers ;-)
If I want to receive mail from slashdot again I just change my email on slashdot to slashdot.org2@myaccountname.freeserve.co.uk
Interestingly most of the spam I get comes in to the email address ebay.co.uk@myaccountname.freeserve.co.uk
This has worked very well for me for several years.
GMail. :-)
Worse than that, my name and email also appear on one OSS project's discussion board, in full and with really akeward comments from 1997 or so... Kind of embarassing to read them now, especially with potential clients googling anybody's identities 8-)
I don't otherwise sign up my primary email address to any lists of sorts, and I use fake names when signing up for non-essential things; I also use disposable webmail addresses and vanity domains for that purpose. I only clean-up web accounts accounts prior to expecting some sort of comfirmation email, after which the account goes back to the abandoned, spammed-to-death status for another while.
use a spamgourmet.com address for anything that may ever become public. It's free, and after a specicified number of emails it blocks the address. You just sign up, and everytime you give out an email, you make up on the spot a keyword.numberofemails.username@spamgourmet.com email address, and spam gourmet automatically blocks after that number, you can then allow trusted domains through forever if you want.
If you use your email address for *anything*, you'll eventually get on a spammer's list.
Send only to friends and family? Whoops -- your cousin Jane just sent you an e-card for your b-day. Guess what? The e-card company now has your address on a list (which will eventually be sold, resold, etc...).
Mom just sent you (and everyone else in her addressbook, and whatever addresses were on it to begin with) a copy of a chain letter! Guess what? One of those email addresses went to someone who's making a list!
Uncle Jim just got infected with the latest/greatest worm! Guess what? In addition to getting spammed "from" his address, you've most likely ended up on yet another list!
Posted to a public mailing list? Yep - you're on a list. Doesn't matter if it was Harvester 1.0 or the new and improved Harvester 3.5.2b, you're on the list.
See, no matter what you do, no matter how closely you guard that email address - if you actually intend it to be used, it's eventually going to get on a spammer's list. And once you're on one list, you mightaswell be on them all (as spammers sell their lists to each other, or collect & trade, etc...)
Munging the address in a public archive does really only one thing: Prevent legitimate contact. Remember: If a human can decypher the email address, so can a harvester. Simple string replacement is easily coded around. "Coding" your email address only works until the harvesters have translation tables. Munging them severely makes it incredibly hard for an actual human to use your address. In short, you're spiting the forest for the trees.
Looking at my personal mail stats, I get roughly 90% spam on any given day. Most of it's not even in english (and although I can understand a bit of spoken Japanese, I certainly can't read it, let alone the vast ammount of Korean spam I receive). Sure, it sucks. But what can I do?
Well, for starters I filter on the server-side. SpamAssassin is the first line of defense. After training up the bayesian side of things, it catches roughly 90% of the spam I receive.
Second stage is a set of basic "sanity test" filters. Is it from someone I actually know (and is therefore whitelisted)? Is it actually "To" or "Cc" to a legitimate email address of mine? Attachments of known bad types? Headers added by known bulk-mailers? What does ClamAV have to say about it? (Yes, I started building this filter before I discovered SpamAssassin, so there's a bit of overlap) This weeds out around 50% of the remaining spam I get (5% of the total).
Third stage is Mozilla Thunderbird's bayesian filter, which once trained does a suprisingly good job of catching things that make it through the first two stages. I get about 1 or 2 a week that pass through all three stages - these get fed to both bayesian filters to be learned. The system isn't perfect, but it seems to work OK, until something better comes along. And anyone who needs to contact me can.
The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.
So, should we munge all email addresses beyond recognition in order to "stop" spam? I'd have to say no - as it prevents legitimate users from emailing you. Should we be extremely careful *who* we give our email addresses to, and *what* address we give out to them? Absolutely. Should we complain, *loudly* to companies whom we can catch selling our addresses to spammers, or worse, spamming us themselves. Absolutely.
Just my $.02.
I've been using SpamAssasin that my mail ISP(ASP) provides me with - and it seemed to be working really well. I trust it so much that anything now goes to /dev/null - however - it all seems to have broken down with what appears to be a new improved spam attack: Over the last week or two I've been getting 50+ mails a day that appear as "Mail returned" messages where they are obvisouly bouncing mail back to me - often using random_username@mydomain.com as the fake from address which then hits my postmaster@mydomain.com and is forwarded to me.
This is a major PITA, as whilst I now filter these too it makes it more difficult to see when _my_ real legitimate mail didn't make it somewhere because of a problem.
How long can the spam filters hold all this back !
One more reason why running your own mailserver is the way to go. Sendmail, for instance, easily supports virtual user tables (virtusertable) - aliases, basically. Use a rule like:
:-(
USERNAME+%2@yourdomain.com USERNAME
Which will deliver all mail in the form of bob+amazon@hisdomain.com to bob@hisdomain.com. Use a different name on each site, but you don't need to create aliases for each user. When you start getting spam to that address, just add a line *before* the one above of
USERNAME+SOMESITE@yourdomain.com error:nouser User has been removed because of SPAM
I only wish I had started doing this before my primary addresses had been harvested
This is entirely by accident, but I've talked to others who have done the same thing, and they've reported similar results.
About 2 years ago, my wife and I set up our own mail server in-house. While we set up the normal "service@domain" addresses for various things, I also had her create a "spam@ourdomain" address for me - something I could use as a generic address for one-time registration pages, that sort of thing. I've been using my "spam@" address pretty regularly since it's been created. More so as time wore on, when something became pretty apparent:
I was getting almost no spam directed to that address.
Now, I've used that address in a number of places, including on Usenet. I get (perhaps) one or two prices of spam per month. The only thing I can figure is that spammers, or folks putting together mailing lists for spammers, have decided that "spam@" just isn't worth sending email to. Maybe I've just been lucky; maybe my "spam@" address will be inundated with spam tomorrow morning. I don't know. I do know that it's worked well enough for me that if I ever end up managing a mail server for another domain, I'm going to make sure that I have a "spam@" address there as well.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9