[Mailman-Developers] Proposed: remove address-obfuscation code from Mailman 3
iane at sussex.ac.uk
Wed Aug 26 11:57:06 CEST 2009
--On 25 August 2009 21:02:01 +0000 Julian Mehnle <julian at mehnle.net> wrote:
> Bob Puff wrote:
>> You are presuming too much on spammers as a whole. I've dealt with a
>> couple spammers, and they just used some tools they got online that
>> search for username at domain.something. Everything else is ignored.
>> I don't for a minute doubt that the advanced spammers will snag
>> anything and everything no matter how strange it is obfusticated (sp?).
>> But there are a LOT of low-tech spammers still out there, and there is
>> enough "low hanging fruit" for them that this little bit we are
>> discussing can be over their head.
> It's not. Spammers usually don't do address harvesting themselves
> nowadays, but outsource it to botnets (just like they outsource the
> spamming itself to botnets) that are running kind of "off the shelf"
> software tailored to the task. Today, as a spammer you go out and buy
> those services in online shops, paying by credit card. And parsing
> "localpart at domain" is among the most trivial things current harvester
> modules do.
> Any wanna-be spammers who still run their garage business with self
> written tools are pretty much meaningless in terms of magnitude.
> If anything, this kind of obfuscation is an inconvenience to legitimate
> users, but certainly not to spammers.
There's recently published research which suggests that simple obfuscation
can be effective. Concealment, presumably, is more effective. At
<http://www.ceas.cc/> you can download "Spamology: A Study of Spam Origins"
They say "Surprisingly, even simple email obfuscation approaches are still
sufficient today to prevent spammers from harvesting emails." and
"Commonly-used email obfuscation techniques are offering protection (for
now). It is common practice to replace the conventional @ in email
addresses by an AT in order to defeat email harvesting. We found that the
spammers are still not parsing simple obfuscations as of now. However, one
should not count on the protection offered by such simple obfuscation
schemes, for they are trivial to defeat."
Of course, list posts hang around for a long time, and may be mirrored (eg
by Google caching). Therefore, concealment seems more sensible than
obfuscation. Perhaps a captcha could be used to reveal sender addresses,
The paper might be more interesting for its discussion of techniques for
detecting (eg with honeypots) and defeating harvesters.
IT Services, University of Sussex
For new support requests, see http://www.sussex.ac.uk/its/help/
More information about the Mailman-Developers