[Mailman-Users] Major problems with privacy and mailman lists andharvesters

Andrew Hodgson andrew at hodgsonfamily.org
Fri May 23 22:29:54 CEST 2008

Steve Murphy wrote:

>I'm quite concerned about what I'm seeing in mailman installations, and
the amount of spam I've been getting >because I participate in mailman
based lists!

>What I'm concerned about is the fact that email harvesters are being
given so much information.

>I've noticed in the mailman-users archives, that if I view info by
thread (using the mailman archives as an >example,) which site is 2.1.10
based, that all email addresses are present, but with a simple
>(the "@" has been changed to " at ".) I can't help but to think that
this simple obfuscation is a joke. Any >harvester written in the past
number of years would be smart enough to capture such accurately.

When we were looking for a list software package, we came up against
this problem.  I think the issue here is that the archives are open to
anyone (aka public archives), and there is no real way of allowing
people to contact anyone off list if the email addresses are protected.
That said, there are a number of external archiving solutions around
that will do this already, such as MHonArc http://www.mhonarc.org/.

>>When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see >[EMAIL PROTECTED]. This is much
nicer, but I notice that in both archives, a button is provided at the
bottom >of the letter, that submits a form, and gets back both a "Found"
page, with a mailto: url, and a redirect to a >mailto... 
>so, an anonymous user can easily get/harvest email addresses by simply
analyzing the html form.

The email form is done by mail-archive.com, and they are running several
honeypots to monitor spam coming in via this method.  The FAQ which
explains this is at http://www.mail-archive.com/faq.html.


>It seems inconsistent, funny even, that display by thread will show
individual messages with [EMAIL REMOVED], >but the gzip'd archives of
the same message reveal, really, everything.

Are you sure you are viewing the same archives?

>And worse... If I really wanted to collect up-to-date juicy email
addresses, I'd simply subscribe to all the >mailman lists I possibly
could, and route all the incoming messages to harvesters. In **This**
case, the >harvest is bountiful, as most messages arrive totally
unfiltered, from  headers galore bearing bounteous >harvests of email
addresses (for example, the From header), to the user sigs at the ends,
with reply quotation >headers mentioning the source addresses in

This is a problem with email not Mailman.  Do you see Freelists,
YahooGroups or Google Groups doing similar?

>Within MINUTES of my first posting on asterisk-users, I was getting
spam on an email address that was brand->new. Since then, the spam
volume on that email addr just keeps growing.

That is interesting as I have subscribed to several lists using a list
account at work which are on Mailman - namely RedHat and LUG user
groups, and I haven't had spam to that address in ages.  Contrast this
with my main work address, which I use to sign up for email newsletters
(when evaluating products), use as sales contacts, fill in web forms
etc, where I get around 40-50 spams a day.

>I keep wondering, which way did they get my email addr? 
>But, it doesn't matter. I can't help to think that 'targeted'
>spam mailers both spider the archives and subscribe to the lists.The
bigger the list's subscription, hotter an >item it is.

Maybe you should post this to one of the mail-archive lists, to see if
the people controlling the honeypots are finding similar.  

>So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
and the outgoing messages, and drop this >silly notion that the " at "
obfuscation is useful? Really, it's totally transparent.

Possibly agreeing with you viz the archiving via the web, but I for one
would never use such a feature as email protection on any of my lists
for email subscribers.


More information about the Mailman-Users mailing list