Steve Murphy wrote: >I'm quite concerned about what I'm seeing in mailman installations, and the amount of spam I've been getting >because I participate in mailman based lists!
>What I'm concerned about is the fact that email harvesters are being given so much information. >I've noticed in the mailman-users archives, that if I view info by thread (using the mailman archives as an >example,) which site is 2.1.10 based, that all email addresses are present, but with a simple obfuscation. >(the "@" has been changed to " at ".) I can't help but to think that this simple obfuscation is a joke. Any >harvester written in the past number of years would be smart enough to capture such accurately. When we were looking for a list software package, we came up against this problem. I think the issue here is that the archives are open to anyone (aka public archives), and there is no real way of allowing people to contact anyone off list if the email addresses are protected. That said, there are a number of external archiving solutions around that will do this already, such as MHonArc http://www.mhonarc.org/. >>When viewing the developer's archives, I note that when a message is displayed singly, it is common to see >[EMAIL PROTECTED]. This is much nicer, but I notice that in both archives, a button is provided at the bottom >of the letter, that submits a form, and gets back both a "Found" page, with a mailto: url, and a redirect to a >mailto... >so, an anonymous user can easily get/harvest email addresses by simply analyzing the html form. The email form is done by mail-archive.com, and they are running several honeypots to monitor spam coming in via this method. The FAQ which explains this is at http://www.mail-archive.com/faq.html. [...] >It seems inconsistent, funny even, that display by thread will show individual messages with [EMAIL REMOVED], >but the gzip'd archives of the same message reveal, really, everything. Are you sure you are viewing the same archives? >And worse... If I really wanted to collect up-to-date juicy email addresses, I'd simply subscribe to all the >mailman lists I possibly could, and route all the incoming messages to harvesters. In **This** case, the >harvest is bountiful, as most messages arrive totally unfiltered, from headers galore bearing bounteous >harvests of email addresses (for example, the From header), to the user sigs at the ends, with reply quotation >headers mentioning the source addresses in between. This is a problem with email not Mailman. Do you see Freelists, YahooGroups or Google Groups doing similar? >Within MINUTES of my first posting on asterisk-users, I was getting spam on an email address that was brand->new. Since then, the spam volume on that email addr just keeps growing. That is interesting as I have subscribed to several lists using a list account at work which are on Mailman - namely RedHat and LUG user groups, and I haven't had spam to that address in ages. Contrast this with my main work address, which I use to sign up for email newsletters (when evaluating products), use as sales contacts, fill in web forms etc, where I get around 40-50 spams a day. >I keep wondering, which way did they get my email addr? >But, it doesn't matter. I can't help to think that 'targeted' >spam mailers both spider the archives and subscribe to the lists.The bigger the list's subscription, hotter an >item it is. Maybe you should post this to one of the mail-archive lists, to see if the people controlling the honeypots are finding similar. >So, please, can we apply the [EMAIL PROTECTED] tech to the archives, and the outgoing messages, and drop this >silly notion that the " at " obfuscation is useful? Really, it's totally transparent. Possibly agreeing with you viz the archiving via the web, but I for one would never use such a feature as email protection on any of my lists for email subscribers. Andrew. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
