[Mailman-Developers] Proposed: remove address-obfuscation code from Mailman 3

Ian Eiloart iane at sussex.ac.uk
Wed Aug 26 11:57:06 CEST 2009

--On 25 August 2009 21:02:01 +0000 Julian Mehnle <julian at mehnle.net> wrote:

> Bob Puff wrote:
>> You are presuming too much on spammers as a whole.  I've dealt with a
>> couple spammers, and they just used some tools they got online that
>> search for username at domain.something.  Everything else is ignored.
>> I don't for a minute doubt that the advanced spammers will snag
>> anything and everything no matter how strange it is obfusticated (sp?).
>>  But there are a LOT of low-tech spammers still out there, and there is
>> enough "low hanging fruit" for them that this little bit we are
>> discussing can be over their head.
> It's not.  Spammers usually don't do address harvesting themselves
> nowadays, but outsource it to botnets (just like they outsource the
> spamming itself to botnets) that are running kind of "off the shelf"
> software tailored to the task.  Today, as a spammer you go out and buy
> those services in online shops, paying by credit card.  And parsing
> "localpart at domain" is among the most trivial things current harvester
> modules do.
> Any wanna-be spammers who still run their garage business with self
> written tools are pretty much meaningless in terms of magnitude.
> If anything, this kind of obfuscation is an inconvenience to legitimate
> users, but certainly not to spammers.
> -Julian

There's recently published research which suggests that simple obfuscation 
can be effective. Concealment, presumably, is more effective. At 
<http://www.ceas.cc/> you can download "Spamology: A Study of Spam Origins" 

They say "Surprisingly, even simple email obfuscation approaches are still 
sufficient today to prevent spammers from harvesting emails." and 
"Commonly-used email obfuscation techniques are offering protection (for 
now). It is common practice to replace the conventional @ in email 
addresses by an AT in order to defeat email harvesting. We found that the 
spammers are still not parsing simple obfuscations as of now. However, one 
should not count on the protection offered by such simple obfuscation 
schemes, for they are trivial to defeat."

Of course, list posts hang around for a long time, and may be mirrored (eg 
by Google caching). Therefore, concealment seems more sensible than 
obfuscation. Perhaps a captcha could be used to reveal sender addresses, 
for example.

The paper might be more interesting for its discussion of techniques for 
detecting (eg with honeypots) and defeating harvesters.

Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

More information about the Mailman-Developers mailing list