[Mailman-Users] Major problems with privacy and mailman lists and harvesters

Steve Murphy murf at digium.com
Tue May 27 00:11:22 CEST 2008

----- "Brad Knowles" wrote: 
> Steve Murphy wrote: 
> > I've noticed in the mailman-users archives, that if I view info 
> > by thread (using the mailman archives as an example,) 
> > which site is 2.1.10 based, 
> > that all email addresses are present, but with a simple obfuscation. 
> > (the "@" has been changed to " at ".) I can't help but to think 
> > that this simple obfuscation is a joke. Any harvester written in the 
> > past number of years would be smart enough to capture such accurately. 
> This is a well-known weakness. Please feel free to upload a suggested patch 
> to <http://sourceforge.net/tracker/?atid=300103&group_id=103&func=browse>, 
> or at least file a Request For Enhancement at 
> <http://sourceforge.net/tracker/?atid=350103&group_id=103&func=browse>. 

OK, I'll look into this. 

> > When viewing the developer's archives, I note that when a message is 
> > displayed singly, it is common to see [EMAIL PROTECTED]. 
> That's the external searchable archives provided by mail-archive.com, which 
> is actually available for both mailman-users and mailman-developers. 

Ah-ha! I had not noticed this. A third party was involved... hmmm! 

> > The gzip'd archives by month for both lists both show all email 
> > addresses, with the " at " obfuscation. 
> Yup. That's part of the standard internal pipermail archiving process. 
> > Within MINUTES of my first posting on asterisk-users, I was getting spam 
> > on an email address that was brand-new. Since then, the spam volume 
> > on that email addr just keeps growing. 
> We've known that this weakness was a potential issue for years. However, I 
> don't recall our ever hearing a specific case where this weakness was 
> actually being exploited. 
> If you look at those "patches" and "RFE" pages, you'll note that there are a 
> large number of things that people want from Mailman (200-300 things or more 
> per category), and since this is a 100% volunteer-supported project, our 
> developers have limited time and resources to be able to devote to fixing 
> each and every little thing that people have asked for. 

Yes, I know. I'm working on Asterisk, another free-software package. 
I bet it's the same basic situation. I'll put my code where my mouth is, 
if everybody agrees that it's the way to go. 

> > We need to rethink how we can adequately keep emails out of spammers hands. 
> Even with better obfuscation, the spammers will always be able to silently 
> subscribe to the lists and harvest addresses that way. There's no way to 
> stop them from doing that. 

Agreed. But I'm not at all for any kind of obfuscation. I'm for 
removal. If we do a good job of subtracting email addresses from outgoing messages, and out of the archives, eventually the spammers will give up on lists so configured. Not worth the effort. 
But that's their choice. Personally, I'd love for them to waste tons of resources on 
harvesting addresses that are not there. 

> > And, yes, it's kinda unhandy not read a message and not be able to fire an email 
> > off to the author directly. But to make it easy for list subscribers, is to make it easy 
> > for spammers, who probably have already joined the list, and are delighted 
> > to get email addresses, any which way they can. 
> We can't obscure messages that we send out. Otherwise, they wouldn't get 
> delivered. You do have to have some basic understanding of how Internet 
> e-mail works before you can talk intelligently about what could or should be 
> done. 

I **thought"" I understood the basics of email workings. 
What I'm targeting is the "From ", and "From:" headers. Instead of them 
giving the actual email of the original submitter, they could simply say 
"whateverlist at lists.whateverdomain.com" -- in other words, set the from 
addr to the list address itself. All emails that might appear in the body of the message 
itself will be stripped (with [EMAIL REMOVED] type stuff to replace it, as a service 
to list members, to help protect them from being harvested. 
Again, No Obfuscations. It is common practice to say "John Doe <jdoe at something.org>", 
in which case, the name is left alone. It would be stripped to "John Doe <{REMOVED]>" 
What's not-doable about this? Am I missing something? I can be incredibly 
dense at times, and miss some pretty obvious laws of nature. Feel free to correct me. 
IIRC, the spammers forge the From addresses all the time, and the emails get delivered. 

> > We need to lock down mailman, or at least make it an option! Simply put, 
> > in messages sent to users, the only email that should be found anywhere 
> > in a recieved message, is the recipient's. 
> If a list admin chooses, they can always enable anonymization. But there's 
> a reason why no one wants to do this. Go talk to the people running 
> anonymized lists to understand that problem more fully. 

That I will do. But I'm not really into total anonymity. Just email addr removal. 

> On a more general note, the more you break Internet e-mail in order to try 
> to stop the spammers, the more the bastards win. 
> You're continuing to make the critical mistake that everyone else does, 
> which is that you're trying to solve an inherently non-technical problem 
> with technical means. And that is a recipe for guaranteed disaster. 

Well, you are right to a degree. First, we could rate complete email 
address removal as the "Ultra" privacy option for a mailing list, and not everybody 
will opt for it, because taking a discussion "offline" will not be a 1-click 
process. Sorry. And users *could* use email-obfuscation to hide 
email addresses from the removal process, letting them leak into the list 
and archives to make it easier for people to reach the submitter. But I see this 
whole process as a way to reduce the chances that the spammers get your 
email address. No guarantees. One of your friends could go into an e-card 
site and use them to send you a nice birthday card. and a ton of spam. 

> Spam is just another form of con job. And if the "oldest profession" is 
> prostitute, then the second oldest profession has to be "con artist". Con 
> jobs have been going on for thousands of years, and there's no evidence that 
> they will ever stop being perpetrated, at least not so long as our species 
> continues to have at least one member still alive. 
> So, you're not *EVER* going to get rid of spam. Give that fight up right 
> now. The best you can do is to try to cut it down to a dull roar, and make 
> sure that you're not one of the lower-hanging fruit. 
> Then always keep in the back of your mind that a sufficiently determined 
> attacker can get through the deepest and most powerful defenses -- if they 
> can assassinate presidents and other government leaders, then they can 
> certainly get through any defenses that people like you and me can afford to 
> create. 

Yes, I'm very aware of all this. I've done my fair share of scouring emails for 
web addresses, and calling hacked sites to inform them they were being used for 
a scam, among other activities to fight the cons that I won't go into. 
All I want to do is see if we can reduce the leakage of email addresses in 
mailman from firehose proportions to something less. 


> -- 
> Brad Knowles <brad at python.org> 
> Member of the Python.org Postmaster Team & Co-Moderator of the 
> mailman-users and mailman-developers mailing lists 

Steve Murphy 
Software Developer 

More information about the Mailman-Users mailing list