Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
On Aug 25, 2009, at 7:42 AM, s...@pobox.com wrote: The other thing about Mailman's obfuscation is that I sorta think that by now the spammers have figured it out. I mean, skip at pobox.com? Come on. Even Barry stands a good chance of writing a regular expression that can locate something like that, his self-deprecation about his r.e. prowess notwithstanding. :-) If nothing else, all an enterprising spammer would have to do is steal Mailman's email address matcher and replace @ with at . Oh, wait, it's open source. They wouldn't even have to steal the code. I've always wanted to re-architect the archives so that they would / always/ vend the messages from an active process. I wouldn't have any static files, except a cache for efficiency, and I would generate the HTML on demand. My guess is that 99% of all archived messages are never read by a human. The problem of course is spiders but I guess they'll just warm up your cache. ;/ This would allow: * easy redeployment of new obfuscation techniques * on demand take downs or sanitization * easy site regeneration for style changes. -Barry PGP.sig Description: This is a digitally signed message part ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
--On 24 August 2009 13:15:03 -0500 Hopkins, Justin hopkin...@umsystem.edu wrote: Thanks for such a detailed and compelling post..but I must disagree. I can't refute any of the arguments you made, they are all quite sound, but I do take issue with your conclusion. Obfuscating the email addresses is just a part of 'defense in depth' - same as patching your computer, using a firewall, etc. Each layer, no matter how thin, still adds something. Cheers, Justin Quite right. Rich's argument is, essentially, that obfuscation isn't 100% effective so it shouldn't be used. Frankly, if it's 10% effective, then it's worth doing in my view. Further, Rich offers no evidence of significant harm done by obfuscation. Finally, there are other privacy concerns than spam harvesting that may also be mitigated by address obfuscation. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
Ian Quite right. Rich's argument is, essentially, that obfuscation Ian isn't 100% effective so it shouldn't be used. Frankly, if it's 10% Ian effective, then it's worth doing in my view. I would be quite surprised if address obfuscation is anywhere close to 10% effective. Maybe 0.01%. The problem I see with Barry's argument that users demand it so Mailman must provide it is that position just propagates misinformation about the ineffectiveness of the feature. I would vote for tossing it out, or at the very least making it a per-list flag which admins could disable if they wanted. The other thing about Mailman's obfuscation is that I sorta think that by now the spammers have figured it out. I mean, skip at pobox.com? Come on. Even Barry stands a good chance of writing a regular expression that can locate something like that, his self-deprecation about his r.e. prowess notwithstanding. :-) If nothing else, all an enterprising spammer would have to do is steal Mailman's email address matcher and replace @ with at . Oh, wait, it's open source. They wouldn't even have to steal the code. -- Skip Montanaro - s...@pobox.com - http://www.smontanaro.net/ Getting old sucks, but it beats dying young ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
You are presuming too much on spammers as a whole. I've dealt with a couple spammers, and they just used some tools they got online that search for usern...@domain.something. Everything else is ignored. I don't for a minute doubt that the advanced spammers will snag anything and everything no matter how strange it is obfusticated (sp?). But there are a LOT of low-tech spammers still out there, and there is enough low hanging fruit for them that this little bit we are discussing can be over their head. Bob -- Original Message --- From: s...@pobox.com To: Ian Eiloart i...@sussex.ac.uk Cc: mailman-developers@python.org, Rich Kulawiec r...@gsp.org Sent: Tue, 25 Aug 2009 06:42:12 -0500 Subject: Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3 Ian Quite right. Rich's argument is, essentially, that obfuscation Ian isn't 100% effective so it shouldn't be used. Frankly, if it's 10%Ian effective, then it's worth doing in my view. I would be quite surprised if address obfuscation is anywhere close to 10% effective. Maybe 0.01%. The problem I see with Barry's argument that users demand it so Mailman must provide it is that position just propagates misinformation about the ineffectiveness of the feature. I would vote for tossing it out, or at the very least making it a per-list flag which admins could disable if they wanted. The other thing about Mailman's obfuscation is that I sorta think that by now the spammers have figured it out. I mean, skip at pobox.com? Come on. Even Barry stands a good chance of writing a regular expression that can locate something like that, his self- deprecation about his r.e. prowess notwithstanding. :-) If nothing else, all an enterprising spammer would have to do is steal Mailman's email address matcher and replace @ with at . Oh, wait, it's open source. They wouldn't even have to steal the code. -- Skip Montanaro - s...@pobox.com - http://www.smontanaro.net/ Getting old sucks, but it beats dying young ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com Security Policy: http://wiki.list.org/x/QIA9 --- End of Original Message --- ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposed: remove address-obfuscation code fromMailman 3
Thanks for such a detailed and compelling post..but I must disagree. I can't refute any of the arguments you made, they are all quite sound, but I do take issue with your conclusion. Obfuscating the email addresses is just a part of 'defense in depth' - same as patching your computer, using a firewall, etc. Each layer, no matter how thin, still adds something. Cheers, Justin ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
