Robert J. Hansen wrote: > In the battle between armor and warhead, _always_ bet on the warhead. > > Playing defensively and trying to make an email address invisible is > going to be an exercise in frustration. They always get seen. They > always get spammed. Play defensively and you lose.
Well if you need to have an e-mail address available to the general public then this is certainly true. Spammers have even been known to hire cheap labor to surf the web looking for e-mail addresses and filling in spam in forms, so even hiding your address in a blurred upside-down JPEG won't help. If you have security unaware friends who type in your address on "send your friend an ecard" type of sites, or have you in their address book on their Windows box full with spyware, then the spammers will get your address, no matter what you do. But if you don't need a public address, and only have security conscious friends, then I would think you have a good change of staying of the spammers lists. Yahoo! has a nice free service called AddressGuard. You just create a base name (foo) and append an ID (bar) to it, and now you have a disposable address: [EMAIL PROTECTED], witch delivers mail to your normal Yahoo! address. You can have 500 different IDs, so you can give a different address to each of your friends, and check who is leaking your address. > Whitelisting, graylisting, blacklisting, Bayesian filters, even lawsuits > if you're so inclined--those are all active measures which force the > spammers to adapt to your actions. That gives you a measure of > initiative back. You're no longer playing pure defensive. Those are all good things, but just because we have them does not mean that it's not a good idea to try to stay of the spammers list in the first place. Personally I'd like to see more aggressive anti-spam measures, like the ones taken by Blue Frog. > If you like, I'll ask the antispam research group here at UI if they > think there's anything to be gained by omitting an email address from a > key. User IDs do not provide any authentication, so security wise they are useless. The most secure thing would be not to have one at all, and have my friends remember that key number xxxxxxxx belongs to me. This way, if my friends get raided, it will be more difficult or impossible for the police to figure out that it's my key. But since this is very inconvenient, I decided to sacrifice a little security for convenience, by putting my first name in the user ID. I don't provide an e-mail address mainly because it's easier to change my e-mail address if I don't have to update my key, but this undeniably also makes things a little harder for spammers, since it's one less place they can find my e-mail address. It might also help in a deniability claim. I don't however think that it's too much to ask that people remember witch e-mail address goes with witch key. Oskar _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
