Forgot your password?
typodupeerror
Communications Spam

Volunteering for OSS == Sign Up for Spam? 94

Posted by Cliff
from the drawbacks-for-web-accessible-mailinglist-archives dept.
bckspc asks: "I've been getting pounded by spam lately, so did a Google search on my email address to see where it might appear on the Web. To my horror, it turned up several times in an archive of a Gnome listserv for a project I briefly participated in. While the email address is visibly obscured on the Web pages, it is quite intact in the HTML code. I emailed the list admin about obscuring or removing my email address, but was curtly dismissed. I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"
This discussion has been archived. No new comments can be posted.

Volunteering for OSS == Sign Up for Spam?

Comments Filter:
  • by SkunkPussy (85271) on Tuesday April 27, 2004 @07:01AM (#8981925) Journal
    When I searched for my name, it was more the questions i'd answered geekily on some debian list about 4 or 5 years ago that concerned me. theres loads of them!
    And the debian lists are very well linked to its been hard for me to pursuade google to give higher priority to my own website, where I can make out I'm not a geek :-)
  • by ffub (322605) on Tuesday April 27, 2004 @07:03AM (#8981936)
    Try using simply foss@domain for lists, and them filter ad filter and filter it. I do agree this is very annoying, and although some listservs do respect this and change the email addresses on list servers, this can't be relied apon. I can't choose my participation based on which projects are going to give my email away.

    The only solution that will effectively work (until we fix the spam problem all round) is for list admins to be more careful about munging email addresses to some degree.

    The default setting for programs such as pipermail should be one where email addresses are not explicitly displayed.

    The best solution I've found to solve problems with email addresses online is Jodrell's mailto php script which renders the address obfuscated but displays it correctly in the browser using JavaScript.

    http://jodrell.net/projects/mailto [jodrell.net]
    • The best solution I've found to solve problems with email addresses online is Jodrell's mailto php script which renders the address obfuscated but displays it correctly in the browser using JavaScript.
      That's assuming that address harvesters aren't running their pages through a javascript interpreter first. Considering how sophisticated spammers' methods are becoming to deliver their messages I wouldn't doubt that their havesting methods are improving as well.
      • Yes - but this points to a solution.

        Create a safe server which runs the decrypt. Have the safe sever identify IP addresses and restrict ip addresses which are obviously automated. This means that a given IP address can only "see" a finite number of email addresses per unit time.

        Add blacklisting and you have reasonably restricted email addresses.

        The server could also serve up and create temporary proxies which could later be identified.

        For example:

        Your emaail is Bob@OpenStuff.com

        The server says your em
  • Yes (Score:4, Informative)

    by innerlimit (593217) on Tuesday April 27, 2004 @07:03AM (#8981937)
    Set up an account to only receive mails from the lists you joined. Junk everything else.
    • by cwis42 (563232)
      How convenient when someone on the list wants to talk to you privately.
      • by tzanger (1575)

        I use the same old trick for anywhere I have to use my email address: qmail-aliases.

        With qmail (and probably postfix, haven't checked), user-alias@domain will resolve to user@domain automatically and without any additional configuration. So for example myname@domain is my "real" account. myname-sd@domain is for slashdot, myname-kde@ is for kde's lists, myname-vexi@ is for the Vexi development lists, etc., etc., etc.

        When the spam starts coming in you can check where it came from easily and either chang

        • Postfix too, yes. '+' is the default delimiter.

          -j
          • Re:Yes (Score:3, Insightful)

            by walt-sjc (145127)
            It's amazing how many web forms will not accept the plus character in emails. I actually prefer NOT to use that trick, as deleting everything after the plus gives your real address. I prefer to just create an alias instead.
      • Re:Yes (Score:4, Interesting)

        by walt-sjc (145127) on Tuesday April 27, 2004 @09:20AM (#8982929)
        This is what an obscured email address in your signature is for. See RFC 1855 [faqs.org] section 3.1.1.

        The parent is 100% right. At this point, it's nuts not to use a restricted email address for mailing lists since so many are archived in various places, and it's well known that spammers crawl these archives for addresses. Some mailing lists are archived on hundreds or even thousands of web sites.

        Another option is time-expiring addresses. I do this for usenet since there are no subscription issues. I change addresses every month, and they last for 2, giving a reasonable working time. Again - obscured real address in the sig.

        These schemes obviously work best when you control your own domain as you can have custom bounce messages and such. I actually use several domains for different things (and host accounts for family and friends...)
        • At this point, it's nuts not to use a restricted email address for mailing lists...

          That fine and dandy, but what about my situation? I contributed very small patches (<20 lines each) to a couple of projects last year, and now my email address appears in Changelogs which someone has thoughtfully put up on the Web for Google to index.

          • That's unfortunate. Thanks for pointing out this situation, I didn't think of that. Sounds like people need to use throwaway's / special addresses for this kind of thing too. Damn.

            While I detest challenge response systems, they are looking better and better as the spam problem gets worse.
      • Do you give out your phone number to everyone, just in case they want to phone you, & don't have Internet access? Quit acting like this is the 1990s. It's not as if someone is obligated to sift through 100s of spam a day, just in case a complete stranger wants to contact him. If he has questions, then it should be directed to the list or to people who want to give out email addresses.
  • by lanroth (186573) on Tuesday April 27, 2004 @07:14AM (#8981990) Homepage
    Years ago I setup a Freeserve [freeserve.co.uk] account which allows me to receive email to anything@myaccountname.freeserve.co.uk

    Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk

    The good part: when I start getting spam to a particular address I just setup a filter that sends all mail to that address to /dev/null It also lets you know where your email address was harvested from. So when I get spam turning up on slashdot.org@myaccountname.freeserve.co.uk I know it was slashdot who sold my email address to the evil spammers ;-)

    If I want to receive mail from slashdot again I just change my email on slashdot to slashdot.org2@myaccountname.freeserve.co.uk

    Interestingly most of the spam I get comes in to the email address ebay.co.uk@myaccountname.freeserve.co.uk

    This has worked very well for me for several years.

    • Sneakemail [sneakemail.com] works similar in some respects although the email addressess they give you aren't as nice. One advantage is that they forward email to your real address.
      • Some domain hosters provide the same service, through whatever means they might care to use. In particular, I use mydomain [mydomain.com], but I'm sure they're not the only ones. This way I don't have to host my own anything, maintain the email service, etc., and anything@whatevermydomainis.com gets forwarded to my real email account, and I can filter out the spammers easily by giving every website or whatever a unique name linked to who they are.
    • by CritterNYC (190163) on Tuesday April 27, 2004 @01:02PM (#8985779) Homepage
      Years ago I setup a Freeserve account which allows me to receive email to anything@myaccountname.freeserve.co.uk

      Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk

      This will work great... right up until the point that your domain is subject to a dictionary attack by a spammer. You'll suddenly see your spam load go through the roof. And you won't be able to setup filters for each new iteration fast enough. And if it's your own server or you pay for bandwidth, your costs just keep rising.

      You're better off creating real aliases for each new account and letting the server respond with a 550 invalid user for all others.

      If you haven't been dictionary attacked yet... just wait... it'll happen... sooner or later.
      • He could just operate under a whitelist - every address gets blocked unless its specifically allowed. If you're just throwing an address into say, a website for registration, no need to whitelist it, but anything important or known to be secure is whitelisted.
  • by bdan (34984) on Tuesday April 27, 2004 @07:24AM (#8982033) Homepage
    GMail. :-)

  • I find it difficult to believe that the spam that you are receiving is as a result of your email address being on a list associated with an oss project.

    My email address is openly available on numerious mailing lists and publications, and I also administer a small sports club website in which my personal email address has been visiable for years. During that time I have constantly used the same email address. But to date I only receive about one or two spam mails per week. It may be that my experience is u
    • It's been interesting to me that I have a special "spam" email address that I use on mailing lists and the like, and I don't get much spam on it. In fact, I think I'm getting about as much from my regular email address, which never sees the light of day on a mailing list.

      OTOH, the email address I used to have with a major ISP became a target for dozens of spam emails each day, perhaps because the ISP was targeted and because I have a common surname. Now that I have my own domain name, I get very little.

    • Believe it dude. My work address was totally spam-free until I happened to post to Bugtraq *ONCE*.

      After that, I'm getting upwards of 10 spams a day. Just because someone is on an OSS project doesn't make them immune from getting harvested and spammed to death.
      • My work address was totally spam-free until I happened to post to Bugtraq *ONCE*.

        After that, I'm getting upwards of 10 spams a day.

        I had a nearly clean mailbox. Then I posted one message to linux-kernel. At least 40 viruses showed up in my inbox within the first 24 hours.

  • by forged (206127) on Tuesday April 27, 2004 @07:26AM (#8982056) Homepage Journal
    I'm in exactly in the same situation for having participated to one OSS project as a brief contributor. Searching either on my name or on my email address will turn up dozen of ChangeLog entries listing my email address.

    Worse than that, my name and email also appear on one OSS project's discussion board, in full and with really akeward comments from 1997 or so... Kind of embarassing to read them now, especially with potential clients googling anybody's identities 8-)

    I don't otherwise sign up my primary email address to any lists of sorts, and I use fake names when signing up for non-essential things; I also use disposable webmail addresses and vanity domains for that purpose. I only clean-up web accounts accounts prior to expecting some sort of comfirmation email, after which the account goes back to the abandoned, spammed-to-death status for another while.

    • Which is why (Score:2, Interesting)

      by Anonymous Coward
      I use one obviously false handle to refer to myself with folks who don't already know me (or in an online context with those who do). If I ever decide to claim something, I can provide proof (witnesses, records on my machine, passwords to log into accounts under that handle) that I am that person; otherwise, I retain my anonymity.

      It's not perfect; you could still trace it to me, or steal the handle if you were so inclined. But a google for that handle won't link it to me - I've checked for that.
    • Me to, in 2000 before spam was even really a issue I participated in a few OSS projects. Now I'm pounded by 300 - 500 messages a day :(
    • Server-side (Spam Assassin) filtering and mozilla-mail ends up cleaning most of my spam. I used to care about which email adress I entered at different places to avoid spam. Right now, with over 100 spams a day, I just don't care. I just make sure it gets well filtered and it solves all problems.
  • Hi,

    Nearly all of the SPAM email to am email address that I kept hidden for this reason come from a one line change I submitted to JRefactor for context menus on the mac. But still at least I got some credit for it! :-)

  • by ptaff (165113) on Tuesday April 27, 2004 @07:36AM (#8982108) Homepage
    I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"


    OSS or not, you should. There is no link between OSS and spam, but there is between mailing lists and spam.

    There is not (yet) a way to make sure obfuscated e-mail addresses don't get caught by robots, so as a good habit I'd suggest you use disposable E-mail addresses every time your mail will be available on the web.

    • I'd suggest you use disposable E-mail addresses every time your mail will be available on the web.

      They don't necessarily need be disposible, just separate. It's like having two phone lines, where one is unlisted and only for family and friends. The other phone line can get caller ID and an answering machine for screening.

  • Spamgourmet (Score:4, Informative)

    by Justin Ames (582967) on Tuesday April 27, 2004 @07:39AM (#8982128)
    use a spamgourmet.com address for anything that may ever become public. It's free, and after a specicified number of emails it blocks the address. You just sign up, and everytime you give out an email, you make up on the spot a keyword.numberofemails.username@spamgourmet.com email address, and spam gourmet automatically blocks after that number, you can then allow trusted domains through forever if you want.
    • Re:Spamgourmet (Score:3, Informative)

      I second the recommendation. Excellent service.

      The same user name is good for multiple domains as well, i.e., slashdot.4.johndoe@spamgourmet.com would be interchangeable with slashdot.4.johndoe@neverbox.com. I don't remember the other domains off hand.

      If you don't like making a different address for each use, despammed.com has an effective filter and you can opt to forward it on to another address.
    • I third this recommendation. It is also fun to monitor what companies sell you out and to whom. Since each address has a unique label you can watch who starts spamming it. And of course it then self destructs after it reaches the threshold and then no more spam.

      Although it is just a matter of time until spammers start extractng spamgourmet.com addies and then create their own randomkeyword.99999.yourusername@. Then you still have the option to block specific senders, but it would start getting too tr
  • Spam has gone crazy for me in the last few days. I've gone from 600+ every day, a figure I've been approaching gradually over the last couple of years, to well over 1,000 per day this week.

    I've also noticed that I get blocks of maybe a dozen of the same three or four spams, and while the 40+ Kb ones are still arriving they've been joined by dozens of 100+ Kb ones.

    I use Mailwasher and frankly it's a joke nowadays. Easily 50% of my legitimate mails are flagged as spam because of blacklisting, and 100+ spams
    • Set up your mail server to use SpamAssassin (can be painlessly hooked in through fetchmail) -- this has given me very little problem, I'd say maybe one false positive in over 10000 (ten thousand) emails or more. The trick is not ot have it too agressive and to use the bayesian filtering and to continuously train it as the spam patterns (and ham patterns) change.

      The far bigger trick though is to use a couple of blacklists. I use cbl.abuseat.org and rbldns-list.dsbl.org's blacklists -- combined with rblsm

    • I recommend Mozilla Thunderbird [mozilla.org], as it has good, integrated spam filtering, and it runs on Windows!


      I have to say, I think web-based customer support is better, when tied together with email notifications to the customer. You can present your corporate image, as well as upsell advertising, and enable them to see precisely what is happening with their ticket.

    • The two best solutions I know of (if you don't own the server) are Spamarrest [spamarrest.com] and POPFile [sourceforge.net].

      Both get rid of spam very differently but I've gotten about 99.8% acuracy with both (for different people)

      SpamArrest uses "Challenge/Response" which is annoying if you have lots of new people email you but if it's mainly old email addresses it's great.

      If you don't want to pay anything then POPFile is for you. It uses Bayesian filtering which basically means it learns what you think spam is. That means it might
    • I work for a company that provides a very good anti-spam gateway service that you might want to check out. You basically just point your mail domain to our filtering servers, which filter (quarantine) out the junk and then forward the rest to your original mailserver. The block rate is around 98% and the false positive rate is close to zero. The cost is less than $2.00/user/month but if you e-mail me at brien1@redcondor.com I might be able to get you setup for less.

      Best of luck,
      Brien

      I would have sent
    • I use both POPFile [sf.net] (at home) and SpamBayes [sf.net] (at work). They both work like a charm...
  • I'm on a few lists (Score:2, Insightful)

    by Apreche (239272)
    I'm on quite a few mailing lists, and I get almost no spam. In fact, I get such a small amount of spam that I use the thunderbird filter to get rid of non-spam e-mails that I just don't want. The miniscule amount of spam that I do get is filtered 99% perfectly.

    I don't know what everyone else is doing that is bringing them so much spam. If you play your cards right and use a filter it really isn't a problem anymore.
  • Yes.

    Doesn't matter what the list admin does to the web archives created, it won't stop other people creating web archives.
    Many people on the gentoo lists have complained about getting bararged by spam and viruses soon after signing up and posting, yet Gentoo don't create any web archive!
  • by Genom (3868) on Tuesday April 27, 2004 @07:57AM (#8982233)
    If you use your email address for *anything*, you'll eventually get on a spammer's list.

    Send only to friends and family? Whoops -- your cousin Jane just sent you an e-card for your b-day. Guess what? The e-card company now has your address on a list (which will eventually be sold, resold, etc...).

    Mom just sent you (and everyone else in her addressbook, and whatever addresses were on it to begin with) a copy of a chain letter! Guess what? One of those email addresses went to someone who's making a list!

    Uncle Jim just got infected with the latest/greatest worm! Guess what? In addition to getting spammed "from" his address, you've most likely ended up on yet another list!

    Posted to a public mailing list? Yep - you're on a list. Doesn't matter if it was Harvester 1.0 or the new and improved Harvester 3.5.2b, you're on the list.

    See, no matter what you do, no matter how closely you guard that email address - if you actually intend it to be used, it's eventually going to get on a spammer's list. And once you're on one list, you mightaswell be on them all (as spammers sell their lists to each other, or collect & trade, etc...)

    Munging the address in a public archive does really only one thing: Prevent legitimate contact. Remember: If a human can decypher the email address, so can a harvester. Simple string replacement is easily coded around. "Coding" your email address only works until the harvesters have translation tables. Munging them severely makes it incredibly hard for an actual human to use your address. In short, you're spiting the forest for the trees.

    Looking at my personal mail stats, I get roughly 90% spam on any given day. Most of it's not even in english (and although I can understand a bit of spoken Japanese, I certainly can't read it, let alone the vast ammount of Korean spam I receive). Sure, it sucks. But what can I do?

    Well, for starters I filter on the server-side. SpamAssassin is the first line of defense. After training up the bayesian side of things, it catches roughly 90% of the spam I receive.

    Second stage is a set of basic "sanity test" filters. Is it from someone I actually know (and is therefore whitelisted)? Is it actually "To" or "Cc" to a legitimate email address of mine? Attachments of known bad types? Headers added by known bulk-mailers? What does ClamAV have to say about it? (Yes, I started building this filter before I discovered SpamAssassin, so there's a bit of overlap) This weeds out around 50% of the remaining spam I get (5% of the total).

    Third stage is Mozilla Thunderbird's bayesian filter, which once trained does a suprisingly good job of catching things that make it through the first two stages. I get about 1 or 2 a week that pass through all three stages - these get fed to both bayesian filters to be learned. The system isn't perfect, but it seems to work OK, until something better comes along. And anyone who needs to contact me can.

    The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.

    So, should we munge all email addresses beyond recognition in order to "stop" spam? I'd have to say no - as it prevents legitimate users from emailing you. Should we be extremely careful *who* we give our email addresses to, and *what* address we give out to them? Absolutely. Should we complain, *loudly* to companies whom we can catch selling our addresses to spammers, or worse, spamming us themselves. Absolutely.

    Just my $.02.
      • The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.

      For those that don't have their own domain or ability to create new E-mail

    • It's always good to have at least 2 accounts, agreed as I've been reading replies I haven't come across anyone sugesting greylisting http://projects.puremagic.com/greylisting/ I came across this process when my account @ http://www.ezrs.com starting using it. Seems like an excellent unabtrusive idea. So far I have received no SPAM since they started using it. It basically relies on the fact that most spammers will just send the message once and don't look for mail bounces and all legitimate mail will l
    • That has been my experience. No matter what you do you get email spam. From your argument it clearly follows Fear Of Spam is not a good reason to avoid, contributing to oss or online discussions. : ) Can you also conclude that Email is a horrible anachronistic kluge and must be fixed ?

    • Its swell that you are able to get rid of so many spammails, but to me, my real concern is eliminating false positives. What do you do to ensure that "valid" emails aren't thrown out with the spam?
    • You forgot to mention training cousin Jane, uncle Jim, and Mom to NOT do those things. It's a tough battle, I know, but we have to try. Also, somebody, somewhere is actually buying the damn stuff, not that I've ever met anyone who has. How do we find and train those people to not purchase through spammers? I don't have that answer, but I'm working on it.

  • 1. change email accounts very regularly
    2. keep the same email account and filter spam

    #1 is a pain as you have to keep updating contacts to your new email address. (spammers seem to have no trouble finding it)

    #2 also involves ongoing effort. Every new thing I do to stop spammers seems to be great for the first few weeks (no spam gets through), then one, then one or two. It still filters out 99% though.

    Remember though, for every spammer you shoot, there are 5 more ready to step up to take their place!
  • Google and friends show my address in many maillist and FIDO archives for last four or five years. There's 200+ mail users in our domain. I receive more spam and viruses than anyone else.

    There's no reason to hide my email anymore. I receive lots of spam anyway. Simple procmail rules stop 90% of it:

    :0
    * ^Received: from (solutions.lv|194.8.5.86)
    Shit/

    :0
    * ^Content-Type:.*text/html
    Shit/

    :0
    * with E?SMTP
    * ^Message-ID:.*mailserver.solutions.lv
    Shit/

    :0
    * ^Content-Type:.*multipart
    {
    :0 B
    *! ^Content-Type:.*text/p

  • What about me? I get 70+ MB of viruses every day, apparently because some virus writer decided to target people on the Gcc development lists. Besides our bombardment with the viruses, everybody else who gets the viruses sees our addresses in the return address.

    I use nkvir-rc under procmail to filter them, which leaves only a few dozen bounce messages per day from sites that got viruses with my return address on them. I have amended nkvir-rc [cantrip.org] to work properly with Maildir-style mailboxes. (Probably the

  • It goes without saying the same thing happens with list archives, where one might participate in OSS-related discussion. However, as per my journal entry [slashdot.org], submitting a bug report gives similar results. So now, I don't submit bugs where I don't have control over my email address.
  • by rainer_d (115765) *
    Move your domain or account to a real provider who does:

    - virus-checking (I don't have to wade through almost 600 viruses per month just by using clamav on the server)
    - RBL'ing of all the open proxies, open relays and dynamic IP-address-space (~5000 "hits" per month for me - potential spam that never even enters my server)
    - and filter the rest of mail via Spamassassin

    This way, I get only 5-10 spams per day or so and most of it is pre-filtered into my Spam-folder on the server.
    The rest is collected b
  • by onehairyleg (247673) on Tuesday April 27, 2004 @08:52AM (#8982676)
    I've been using SpamAssasin that my mail ISP(ASP) provides me with - and it seemed to be working really well. I trust it so much that anything now goes to /dev/null - however - it all seems to have broken down with what appears to be a new improved spam attack: Over the last week or two I've been getting 50+ mails a day that appear as "Mail returned" messages where they are obvisouly bouncing mail back to me - often using random_username@mydomain.com as the fake from address which then hits my postmaster@mydomain.com and is forwarded to me.

    This is a major PITA, as whilst I now filter these too it makes it more difficult to see when _my_ real legitimate mail didn't make it somewhere because of a problem.

    How long can the spam filters hold all this back !
  • I use TMDA to filter incoming messages, and tag outgoing ones.

    I sign up to mailing lists using listname@mydomain.com, then use TMDA to:

    • Rewrite the From: address to the one the list knows about, eg: gentoo@jamesholden.net
    • Generate a time-limited address for the Reply-To: header, which only works for a week.

    This means that I never post to the list from the wrong address, and people on the list can reply to me without being issued a challenge/response mail.

    Actual list traffic is sorted into a folder base

  • Until this year, I was lucky enough to have never received an email based worm. I have participated in an OSS project, and my email address is in the code and on a mailing list.

    Starting this year I started receiving emails to my OSS address, and variations on that address (as anything@me.domain will be delivered to me).

    I turned on virus protection at my email provider. That left me with 100 bogus bounced emails a day, mostly to unused email addresses.

    I set up rules to reject email sent to common-names@
  • Must I set up disposable email accounts for every list?"

    Actually, what I do is have a single disposable email account for all lists, and change it regularly. I suspect that some spammers (probably those who troll WHOIS records) are getting wise to that and starting to email to random@domain.tld (where random is someone's name).

  • I've never had any problems with sourceforge.net. They listserv modification successfully obscures my e-mail on the list archives.

    But, please, don't blame OSS.
  • I used to try being as anonymous as possible, because, like the poster, I did not want to face the wrath of the spam monster. However, when my work address, which was on published aliases, started getting hunted in earnest by the spam monster, I was finally forced to look into Baysian filters (I chose spamprobe [sourceforge.net], but there are plenty of other good ones as well). The pleasant surprise was that they work extremely well. So well, in fact, that I've really just stopped worrying about how many spammers get my
  • I've not joined some groups specifically because of this problem. Getting 400-500 spams a day is a pain, even if only a couple come through the filters.

    Slashdot example: I used to have a visible mail account posted here at /.

    I quickly turned that off, though to this day 10% of my spam is to that account, so I've placed it in the /dev/null filter. I've not used it in 4 or more years.

    The sad thing is that I did initially get some on-topic private emails...no more.

  • I use TMDA (Tagged Message Delivery Agent http://tmda.net ) which lets me generate addresses which only accept mail either for a limited time or from certain domains/addresses. It'll auto maintain a whitelist, and you can have a blacklist. If mail comes in to an address which has 'expired' or which is from the 'wrong' sender, you can decide whether to drop the email, or send a 'challenge', which if the sender replies to, you receive the email.
    The only problem with C/R mechanisms like this (besides the ~3x
  • I used to be a subscriber to the Sue Spammers mailing list, for folks interested in taking legal action against spammers. I unsubscribed after a month or so, when I found the list archives were public, with exposed e-mail addresses, including my own. Red flag, bull, etc.

    WTF?

    -Waldo Jaquith
  • The answer is yes. (Score:3, Informative)

    by /dev/trash (182850) on Tuesday April 27, 2004 @12:40PM (#8985477) Homepage Journal
    Go to Sneakemail [sneakemail.com] and sign up. It makes life so much easier.
  • you can use all the disposable addresses you want at dodgeit. Just fill in #3 for me if you get a chance :-)

    1. create disposable email service
    2. give it away for free
    3. ???
    4. profit!
  • Alas, the 1st step is to allocate temporary email addresses for everything you participate in outside of your own domain.

    The 2nd step should be public evisceration of anyone who sells an email address, or sends email to a purchased email address -- preferably after having been administered enough stimulants that they are unable to lose consciousness until they lose life.

    And, yes, that is my tempered, reasoned response. You should see my knee-jerk response....
  • by uslinux.net (152591) on Tuesday April 27, 2004 @01:55PM (#8986509) Homepage
    One more reason why running your own mailserver is the way to go. Sendmail, for instance, easily supports virtual user tables (virtusertable) - aliases, basically. Use a rule like:

    USERNAME+%2@yourdomain.com USERNAME

    Which will deliver all mail in the form of bob+amazon@hisdomain.com to bob@hisdomain.com. Use a different name on each site, but you don't need to create aliases for each user. When you start getting spam to that address, just add a line *before* the one above of

    USERNAME+SOMESITE@yourdomain.com error:nouser User has been removed because of SPAM

    I only wish I had started doing this before my primary addresses had been harvested :-(
    • Doesn't always work. My ISP(Cogeco cable) doesn't allow inbound SMTP connections to its users.

      The only other high-speed residential option is Bell's DSL, which has other issues(such as not being terribly high-speed). A regional ISP does offer residential DSL, but not to my particular area.

      And I'm not a business, I've got a limited budget, so I can't afford something more expensive like a business connection. Always-on Internet is an expense I'm willing to deal with, but not by much.
    • USERNAME+%2@yourdomain.com USERNAME

      You don't need this rule. Sendmail defaults to routing foo+bar to foo, unless there's a rule specifically to handle foo+bar.

  • by Samrobb (12731) on Tuesday April 27, 2004 @02:21PM (#8986798) Homepage Journal

    This is entirely by accident, but I've talked to others who have done the same thing, and they've reported similar results.

    About 2 years ago, my wife and I set up our own mail server in-house. While we set up the normal "service@domain" addresses for various things, I also had her create a "spam@ourdomain" address for me - something I could use as a generic address for one-time registration pages, that sort of thing. I've been using my "spam@" address pretty regularly since it's been created. More so as time wore on, when something became pretty apparent:

    I was getting almost no spam directed to that address.

    Now, I've used that address in a number of places, including on Usenet. I get (perhaps) one or two prices of spam per month. The only thing I can figure is that spammers, or folks putting together mailing lists for spammers, have decided that "spam@" just isn't worth sending email to. Maybe I've just been lucky; maybe my "spam@" address will be inundated with spam tomorrow morning. I don't know. I do know that it's worked well enough for me that if I ever end up managing a mail server for another domain, I'm going to make sure that I have a "spam@" address there as well.

    • I can only agree. I have been using me.spam@domain.tld for a few months now. The amount of spam has gone down.

      Most people when replying will not even look at the actual email address. They will also be the people most likely to have my email address harvested, (virus, chain mail). The power users will ask or drop the .spam part.

      The evil spammers, AFAIK just drop all address containing spam, as logical speaking if you have offuscated your email address your not going to respond to a spam and/or your going

  • Slightly off topic, but the discussions here made a light bulb go off in my head...

    We, the people fighting spam, might be making stuff worse for ourselves. Super bacteria that are resistant to antibiotics came about as a result of an overuse of antibiotics. Are we doing the same thing to spam? Are we inadvertently accelerating the evolution of spam technology?

    Maybe instead of using ever more complex filters and other anti-spam techniques, we should alter our approach to spam before we completely lose the
    • I agree. Some spam will get through. I just delete it or mark it for spam training... depending on whats available. I believe that it is possible to thrwart the efforts of email spammers. For example many search engines do a good job with webspam and they deal with much larger datasets. Depending what you use email for and how much time you spend using it, each person has to strike a balance between training the filters and getting a bit o spam. Large internet service providers are making an effort to block
      • I get about 150 spams a day at work. These are merely being marked as spam and sent on to the clients, because we still have not found a filter that never classifies any client email as spam. Since I get this spam in such huge volumes, I tend to notice some trends. About ten spams a day get through without being marked. Spammers learn and next week whatever trick those spams used will be used by all the spammers. Then the filters catch up. Then the spams catch up. Then the filters catch up. Then the spams c
    • As it turns out, *no* spammer has the same filter I do. I use Bayesian filters; in particular, Thunderbird for recreational use, and Outlook with SpamBayes for professional use. What I consider as spam is different from what anybody else considers as spam, so my filter is different from anybody else's.
  • If you find yourself forced to use Outlook (Look out!) for whatever reason, you might want to try using SpamBayes [sourceforge.net] for Bayesian spam filtering. I actually like it better than Thunderbird's filtering. It dumps mail into three buckets: spam, ham, and not sure. I've been using it for one of my accounts for a number of months now, and I haven't seen spam in my ham bucket since about a week after I started using it. The "not sure" bucket is innovative; it allows a third option for e-mails that the filter isn'
  • the easiest way to set up disposable addresses is to get a (free) account at spamgourmet.com. you can then create addresses on the fly, without having to go to their site. for example, the first 12 messages sent to
    slashdot.12.mbloore@spamgourmet.com will be forwarded to me. any others will get eaten. i don't ever have to go back to the spamgourmet site, but if i do i can do things like see how much mail each of my addresses has received, set up whitelists, and reset counters on existing addresses.
    • If the disposable addresses are created on the fly to a straightforward pattern, what stops an evil spammer from parsing *.*.*@spamgourmet.com addresses and adding, for example, p3n1sgrowth.9999.mbloore@spamgourmet.com to his mailing list?

      You would then have to cancel that subaddress manually, but in the meantime he would have added p3n1sgrowtha.9999.mbloore@spamgourmet.com, p3n1sgrowthb.9999.mbloore@spamgourmet.com, etc.

      • the maximum number allowed is 20, and you can set up "watchwords" that are required to appear in addresses.
        in any case, it doesn't seem likely that spammers will go to a great deal of trouble to spam a few people who have demonstrated their desire to avoid spam. what would it profit them?
  • by pongo000 (97357)
    TMDA [tmda.net] allows you to specify "keyword" addresses. Simply pick a keyword, and a new e-mail addy is generated. If it gets swamped with spam, put it in your blacklist and get on with life.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.

Working...