Volunteering for OSS == Sign Up for Spam?

bckspc asks: "I've been getting pounded by spam lately, so did a Google search on my email address to see where it might appear on the Web. To my horror, it turned up several times in an archive of a Gnome listserv for a project I briefly participated in. While the email address is visibly obscured on the Web pages, it is quite intact in the HTML code. I emailed the list admin about obscuring or removing my email address, but was curtly dismissed. I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"

No real cure to this problem

[forged]

I'm in exactly in the same situation for having participated to one OSS project as a brief contributor. Searching either on my name or on my email address will turn up dozen of ChangeLog entries listing my email address.

Worse than that, my name and email also appear on one OSS project's discussion board, in full and with really akeward comments from 1997 or so... Kind of embarassing to read them now, especially with potential clients googling anybody's identities 8-)

I don't otherwise sign up my primary email address to any lists of sorts, and I use fake names when signing up for non-essential things; I also use disposable webmail addresses and vanity domains for that purpose. I only clean-up web accounts accounts prior to expecting some sort of comfirmation email, after which the account goes back to the abandoned, spammed-to-death status for another while.

Which is why

[Anonymous Coward]

I use one obviously false handle to refer to myself with folks who don't already know me (or in an online context with those who do). If I ever decide to claim something, I can provide proof (witnesses, records on my machine, passwords to log into accounts under that handle) that I am that person; otherwise, I retain my anonymity.

It's not perfect; you could still trace it to me, or steal the handle if you were so inclined. But a google for that handle won't link it to me - I've checked for that.

New "Mail Returned" tactic

[onehairyleg]

I've been using SpamAssasin that my mail ISP(ASP) provides me with - and it seemed to be working really well. I trust it so much that anything now goes to /dev/null - however - it all seems to have broken down with what appears to be a new improved spam attack: Over the last week or two I've been getting 50+ mails a day that appear as "Mail returned" messages where they are obvisouly bouncing mail back to me - often using random_username@mydomain.com as the fake from address which then hits my postmaster@mydomain.com and is forwarded to me.

This is a major PITA, as whilst I now filter these too it makes it more difficult to see when _my_ real legitimate mail didn't make it somewhere because of a problem.

How long can the spam filters hold all this back !

Re:Yes

[walt-sjc]

This is what an obscured email address in your signature is for. See RFC 1855 [faqs.org] section 3.1.1.

The parent is 100% right. At this point, it's nuts not to use a restricted email address for mailing lists since so many are archived in various places, and it's well known that spammers crawl these archives for addresses. Some mailing lists are archived on hundreds or even thousands of web sites.

Another option is time-expiring addresses. I do this for usenet since there are no subscription issues. I change addresses every month, and they last for 2, giving a reasonable working time. Again - obscured real address in the sig.

These schemes obviously work best when you control your own domain as you can have custom bounce messages and such. I actually use several domains for different things (and host accounts for family and friends...)

Re:Recent spam

[phaze3000]

That's the same Spamarrest which sends [google.com] spam [google.com] right?

I'd stay well clear..

How I've avoided spam...

[Samrobb]

This is entirely by accident, but I've talked to others who have done the same thing, and they've reported similar results.

About 2 years ago, my wife and I set up our own mail server in-house. While we set up the normal "service@domain" addresses for various things, I also had her create a "spam@ourdomain" address for me - something I could use as a generic address for one-time registration pages, that sort of thing. I've been using my "spam@" address pretty regularly since it's been created. More so as time wore on, when something became pretty apparent:

I was getting almost no spam directed to that address.

Now, I've used that address in a number of places, including on Usenet. I get (perhaps) one or two prices of spam per month. The only thing I can figure is that spammers, or folks putting together mailing lists for spammers, have decided that "spam@" just isn't worth sending email to. Maybe I've just been lucky; maybe my "spam@" address will be inundated with spam tomorrow morning. I don't know. I do know that it's worked well enough for me that if I ever end up managing a mail server for another domain, I'm going to make sure that I have a "spam@" address there as well.

Re:How I've avoided spam...

[bmsleight]

I can only agree. I have been using me.spam@domain.tld for a few months now. The amount of spam has gone down.

Most people when replying will not even look at the actual email address. They will also be the people most likely to have my email address harvested, (virus, chain mail). The power users will ask or drop the .spam part.

The evil spammers, AFAIK just drop all address containing spam, as logical speaking if you have offuscated your email address your not going to respond to a spam and/or your going to report the spammers IP. It works a bit like a double bluff.