Volunteering for OSS == Sign Up for Spam?

bckspc asks: "I've been getting pounded by spam lately, so did a Google search on my email address to see where it might appear on the Web. To my horror, it turned up several times in an archive of a Gnome listserv for a project I briefly participated in. While the email address is visibly obscured on the Web pages, it is quite intact in the HTML code. I emailed the list admin about obscuring or removing my email address, but was curtly dismissed. I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"

There is a solution in the works...

[bdan]

GMail. :-)

Don't blame OSS, please!

[ptaff]

I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"

OSS or not, you should. There is no link between OSS and spam, but there is between mailing lists and spam.

There is not (yet) a way to make sure obfuscated e-mail addresses don't get caught by robots, so as a good habit I'd suggest you use disposable E-mail addresses every time your mail will be available on the web.

I'm on a few lists

[Apreche]

I'm on quite a few mailing lists, and I get almost no spam. In fact, I get such a small amount of spam that I use the thunderbird filter to get rid of non-spam e-mails that I just don't want. The miniscule amount of spam that I do get is filtered 99% perfectly.

I don't know what everyone else is doing that is bringing them so much spam. If you play your cards right and use a filter it really isn't a problem anymore.

False sense of security

[Genom]

If you use your email address for *anything*, you'll eventually get on a spammer's list.

Send only to friends and family? Whoops -- your cousin Jane just sent you an e-card for your b-day. Guess what? The e-card company now has your address on a list (which will eventually be sold, resold, etc...).

Mom just sent you (and everyone else in her addressbook, and whatever addresses were on it to begin with) a copy of a chain letter! Guess what? One of those email addresses went to someone who's making a list!

Uncle Jim just got infected with the latest/greatest worm! Guess what? In addition to getting spammed "from" his address, you've most likely ended up on yet another list!

Posted to a public mailing list? Yep - you're on a list. Doesn't matter if it was Harvester 1.0 or the new and improved Harvester 3.5.2b, you're on the list.

See, no matter what you do, no matter how closely you guard that email address - if you actually intend it to be used, it's eventually going to get on a spammer's list. And once you're on one list, you mightaswell be on them all (as spammers sell their lists to each other, or collect & trade, etc...)

Munging the address in a public archive does really only one thing: Prevent legitimate contact. Remember: If a human can decypher the email address, so can a harvester. Simple string replacement is easily coded around. "Coding" your email address only works until the harvesters have translation tables. Munging them severely makes it incredibly hard for an actual human to use your address. In short, you're spiting the forest for the trees.

Looking at my personal mail stats, I get roughly 90% spam on any given day. Most of it's not even in english (and although I can understand a bit of spoken Japanese, I certainly can't read it, let alone the vast ammount of Korean spam I receive). Sure, it sucks. But what can I do?

Well, for starters I filter on the server-side. SpamAssassin is the first line of defense. After training up the bayesian side of things, it catches roughly 90% of the spam I receive.

Second stage is a set of basic "sanity test" filters. Is it from someone I actually know (and is therefore whitelisted)? Is it actually "To" or "Cc" to a legitimate email address of mine? Attachments of known bad types? Headers added by known bulk-mailers? What does ClamAV have to say about it? (Yes, I started building this filter before I discovered SpamAssassin, so there's a bit of overlap) This weeds out around 50% of the remaining spam I get (5% of the total).

Third stage is Mozilla Thunderbird's bayesian filter, which once trained does a suprisingly good job of catching things that make it through the first two stages. I get about 1 or 2 a week that pass through all three stages - these get fed to both bayesian filters to be learned. The system isn't perfect, but it seems to work OK, until something better comes along. And anyone who needs to contact me can.

The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.

So, should we munge all email addresses beyond recognition in order to "stop" spam? I'd have to say no - as it prevents legitimate users from emailing you. Should we be extremely careful *who* we give our email addresses to, and *what* address we give out to them? Absolutely. Should we complain, *loudly* to companies whom we can catch selling our addresses to spammers, or worse, spamming us themselves. Absolutely.

Just my $.02.

Re:Yes

[walt-sjc]

It's amazing how many web forms will not accept the plus character in emails. I actually prefer NOT to use that trick, as deleting everything after the plus gives your real address. I prefer to just create an alias instead.