Volunteering for OSS == Sign Up for Spam? 94
bckspc asks: "I've been getting pounded by spam lately, so did a Google search on my email address to see where it might appear on the Web. To my horror, it turned up several times in an archive of a Gnome listserv for a project I briefly participated in. While the email address is visibly obscured on the Web pages, it is quite intact in the HTML code. I emailed the list admin about obscuring or removing my email address, but was curtly dismissed. I'm a relative newbie and the experience soured me on participating in other OSS projects. How to Slashdot users deal with this? Must I set up disposable email accounts for every list?"
thats not what im worried about! (Score:5, Funny)
And the debian lists are very well linked to its been hard for me to pursuade google to give higher priority to my own website, where I can make out I'm not a geek
Re:thats not what im worried about! (Score:1)
Re:thats not what im worried about! (Score:1)
and I've got about 5 domain names I don't need......and?!
Short on solutions bar list admins clueing up (Score:5, Informative)
The only solution that will effectively work (until we fix the spam problem all round) is for list admins to be more careful about munging email addresses to some degree.
The default setting for programs such as pipermail should be one where email addresses are not explicitly displayed.
The best solution I've found to solve problems with email addresses online is Jodrell's mailto php script which renders the address obfuscated but displays it correctly in the browser using JavaScript.
http://jodrell.net/projects/mailto [jodrell.net]
Re:Short on solutions bar list admins clueing up (Score:2)
Re:Short on solutions bar list admins clueing up (Score:2)
Create a safe server which runs the decrypt. Have the safe sever identify IP addresses and restrict ip addresses which are obviously automated. This means that a given IP address can only "see" a finite number of email addresses per unit time.
Add blacklisting and you have reasonably restricted email addresses.
The server could also serve up and create temporary proxies which could later be identified.
For example:
Your emaail is Bob@OpenStuff.com
The server says your em
Yes (Score:4, Informative)
Re:Yes (Score:1)
Re:Yes (Score:1)
I use the same old trick for anywhere I have to use my email address: qmail-aliases.
With qmail (and probably postfix, haven't checked), user-alias@domain will resolve to user@domain automatically and without any additional configuration. So for example myname@domain is my "real" account. myname-sd@domain is for slashdot, myname-kde@ is for kde's lists, myname-vexi@ is for the Vexi development lists, etc., etc., etc.
When the spam starts coming in you can check where it came from easily and either chang
Re:Yes (Score:1)
-j
Re:Yes (Score:3, Insightful)
Re:Yes (Score:4, Interesting)
The parent is 100% right. At this point, it's nuts not to use a restricted email address for mailing lists since so many are archived in various places, and it's well known that spammers crawl these archives for addresses. Some mailing lists are archived on hundreds or even thousands of web sites.
Another option is time-expiring addresses. I do this for usenet since there are no subscription issues. I change addresses every month, and they last for 2, giving a reasonable working time. Again - obscured real address in the sig.
These schemes obviously work best when you control your own domain as you can have custom bounce messages and such. I actually use several domains for different things (and host accounts for family and friends...)
Re:Yes (Score:1)
That fine and dandy, but what about my situation? I contributed very small patches (<20 lines each) to a couple of projects last year, and now my email address appears in Changelogs which someone has thoughtfully put up on the Web for Google to index.
Re:Yes (Score:2)
While I detest challenge response systems, they are looking better and better as the spam problem gets worse.
Re:Yes (Score:1)
use multiple disposable email addresses (Score:5, Informative)
Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk
The good part: when I start getting spam to a particular address I just setup a filter that sends all mail to that address to /dev/null
It also lets you know where your email address was harvested from. So when I get spam turning up on slashdot.org@myaccountname.freeserve.co.uk I know it was slashdot who sold my email address to the evil spammers ;-)
If I want to receive mail from slashdot again I just change my email on slashdot to slashdot.org2@myaccountname.freeserve.co.uk
Interestingly most of the spam I get comes in to the email address ebay.co.uk@myaccountname.freeserve.co.uk
This has worked very well for me for several years.
Re:use multiple disposable email addresses (Score:1)
Re:use multiple disposable email addresses (Score:2)
Re:use multiple disposable email addresses (Score:4, Informative)
Whenever I need to put my email address somewhere public (i.e. mailing lists and websites) I make up a new email address of the form mailinglistname@myaccountname.freeserve.co.uk or websitename@myaccountname.freeserve.co.uk e.g. the email address I gave slashdot is slashdot.org@myaccountname.freeserve.co.uk
This will work great... right up until the point that your domain is subject to a dictionary attack by a spammer. You'll suddenly see your spam load go through the roof. And you won't be able to setup filters for each new iteration fast enough. And if it's your own server or you pay for bandwidth, your costs just keep rising.
You're better off creating real aliases for each new account and letting the server respond with a 550 invalid user for all others.
If you haven't been dictionary attacked yet... just wait... it'll happen... sooner or later.
Re:use multiple disposable email addresses (Score:2)
There is a solution in the works... (Score:3, Insightful)
Is this the real source of the spam (Score:1)
I find it difficult to believe that the spam that you are receiving is as a result of your email address being on a list associated with an oss project.
My email address is openly available on numerious mailing lists and publications, and I also administer a small sports club website in which my personal email address has been visiable for years. During that time I have constantly used the same email address. But to date I only receive about one or two spam mails per week. It may be that my experience is u
Re:Is this the real source of the spam (Score:1)
It's been interesting to me that I have a special "spam" email address that I use on mailing lists and the like, and I don't get much spam on it. In fact, I think I'm getting about as much from my regular email address, which never sees the light of day on a mailing list.
OTOH, the email address I used to have with a major ISP became a target for dozens of spam emails each day, perhaps because the ISP was targeted and because I have a common surname. Now that I have my own domain name, I get very little.
Re:Is this the real source of the spam (Score:2)
After that, I'm getting upwards of 10 spams a day. Just because someone is on an OSS project doesn't make them immune from getting harvested and spammed to death.
Re:Is this the real source of the spam (Score:1)
I had a nearly clean mailbox. Then I posted one message to linux-kernel. At least 40 viruses showed up in my inbox within the first 24 hours.
No real cure to this problem (Score:5, Interesting)
Worse than that, my name and email also appear on one OSS project's discussion board, in full and with really akeward comments from 1997 or so... Kind of embarassing to read them now, especially with potential clients googling anybody's identities 8-)
I don't otherwise sign up my primary email address to any lists of sorts, and I use fake names when signing up for non-essential things; I also use disposable webmail addresses and vanity domains for that purpose. I only clean-up web accounts accounts prior to expecting some sort of comfirmation email, after which the account goes back to the abandoned, spammed-to-death status for another while.
Which is why (Score:2, Interesting)
It's not perfect; you could still trace it to me, or steal the handle if you were so inclined. But a google for that handle won't link it to me - I've checked for that.
Re:Which is why (Score:2)
Re:No real cure to this problem (Score:2)
Re:No real cure to this problem (Score:1)
This is very true (Score:1)
Nearly all of the SPAM email to am email address that I kept hidden for this reason come from a one line change I submitted to JRefactor for context menus on the mac. But still at least I got some credit for it!
Don't blame OSS, please! (Score:3, Insightful)
OSS or not, you should. There is no link between OSS and spam, but there is between mailing lists and spam.
There is not (yet) a way to make sure obfuscated e-mail addresses don't get caught by robots, so as a good habit I'd suggest you use disposable E-mail addresses every time your mail will be available on the web.
Re:Don't blame OSS, please! (Score:2)
They don't necessarily need be disposible, just separate. It's like having two phone lines, where one is unlisted and only for family and friends. The other phone line can get caller ID and an answering machine for screening.
Spamgourmet (Score:4, Informative)
Re:Spamgourmet (Score:3, Informative)
The same user name is good for multiple domains as well, i.e., slashdot.4.johndoe@spamgourmet.com would be interchangeable with slashdot.4.johndoe@neverbox.com. I don't remember the other domains off hand.
If you don't like making a different address for each use, despammed.com has an effective filter and you can opt to forward it on to another address.
Re:Spamgourmet (Score:2)
Although it is just a matter of time until spammers start extractng spamgourmet.com addies and then create their own randomkeyword.99999.yourusername@. Then you still have the option to block specific senders, but it would start getting too tr
Recent spam (Score:2)
I've also noticed that I get blocks of maybe a dozen of the same three or four spams, and while the 40+ Kb ones are still arriving they've been joined by dozens of 100+ Kb ones.
I use Mailwasher and frankly it's a joke nowadays. Easily 50% of my legitimate mails are flagged as spam because of blacklisting, and 100+ spams
Re:Recent spam (Score:1)
Set up your mail server to use SpamAssassin (can be painlessly hooked in through fetchmail) -- this has given me very little problem, I'd say maybe one false positive in over 10000 (ten thousand) emails or more. The trick is not ot have it too agressive and to use the bayesian filtering and to continuously train it as the spam patterns (and ham patterns) change.
The far bigger trick though is to use a couple of blacklists. I use cbl.abuseat.org and rbldns-list.dsbl.org's blacklists -- combined with rblsm
Re:Recent spam (Score:1)
I recommend Mozilla Thunderbird [mozilla.org], as it has good, integrated spam filtering, and it runs on Windows!
I have to say, I think web-based customer support is better, when tied together with email notifications to the customer. You can present your corporate image, as well as upsell advertising, and enable them to see precisely what is happening with their ticket.
Re:Recent spam (Score:2)
Both get rid of spam very differently but I've gotten about 99.8% acuracy with both (for different people)
SpamArrest uses "Challenge/Response" which is annoying if you have lots of new people email you but if it's mainly old email addresses it's great.
If you don't want to pay anything then POPFile is for you. It uses Bayesian filtering which basically means it learns what you think spam is. That means it might
Re:Recent spam (Score:3, Interesting)
I'd stay well clear..
Re:Recent spam (Score:1)
Best of luck,
Brien
I would have sent
Re:Recent spam (Score:1)
I'm on a few lists (Score:2, Insightful)
I don't know what everyone else is doing that is bringing them so much spam. If you play your cards right and use a filter it really isn't a problem anymore.
Re:I'm on a few lists (Score:2)
"I don't know what everyone else is doing that is bringing them so much spam."
It's called "being unlucky" - and believe me, we're not doing it on purpose...
"disposable email accounts for every list" (Score:1)
Doesn't matter what the list admin does to the web archives created, it won't stop other people creating web archives.
Many people on the gentoo lists have complained about getting bararged by spam and viruses soon after signing up and posting, yet Gentoo don't create any web archive!
Re:"disposable email accounts for every list" (Score:1)
False sense of security (Score:5, Insightful)
Send only to friends and family? Whoops -- your cousin Jane just sent you an e-card for your b-day. Guess what? The e-card company now has your address on a list (which will eventually be sold, resold, etc...).
Mom just sent you (and everyone else in her addressbook, and whatever addresses were on it to begin with) a copy of a chain letter! Guess what? One of those email addresses went to someone who's making a list!
Uncle Jim just got infected with the latest/greatest worm! Guess what? In addition to getting spammed "from" his address, you've most likely ended up on yet another list!
Posted to a public mailing list? Yep - you're on a list. Doesn't matter if it was Harvester 1.0 or the new and improved Harvester 3.5.2b, you're on the list.
See, no matter what you do, no matter how closely you guard that email address - if you actually intend it to be used, it's eventually going to get on a spammer's list. And once you're on one list, you mightaswell be on them all (as spammers sell their lists to each other, or collect & trade, etc...)
Munging the address in a public archive does really only one thing: Prevent legitimate contact. Remember: If a human can decypher the email address, so can a harvester. Simple string replacement is easily coded around. "Coding" your email address only works until the harvesters have translation tables. Munging them severely makes it incredibly hard for an actual human to use your address. In short, you're spiting the forest for the trees.
Looking at my personal mail stats, I get roughly 90% spam on any given day. Most of it's not even in english (and although I can understand a bit of spoken Japanese, I certainly can't read it, let alone the vast ammount of Korean spam I receive). Sure, it sucks. But what can I do?
Well, for starters I filter on the server-side. SpamAssassin is the first line of defense. After training up the bayesian side of things, it catches roughly 90% of the spam I receive.
Second stage is a set of basic "sanity test" filters. Is it from someone I actually know (and is therefore whitelisted)? Is it actually "To" or "Cc" to a legitimate email address of mine? Attachments of known bad types? Headers added by known bulk-mailers? What does ClamAV have to say about it? (Yes, I started building this filter before I discovered SpamAssassin, so there's a bit of overlap) This weeds out around 50% of the remaining spam I get (5% of the total).
Third stage is Mozilla Thunderbird's bayesian filter, which once trained does a suprisingly good job of catching things that make it through the first two stages. I get about 1 or 2 a week that pass through all three stages - these get fed to both bayesian filters to be learned. The system isn't perfect, but it seems to work OK, until something better comes along. And anyone who needs to contact me can.
The other thing I do now (which I'd have done earlier, had I the resources) is give each company I do business with it's own address. While this doesn't cut the spam, it does allow me to track who's been selling my address, and who hasn't. Yahoo and Ebay (both previously mentioned in other threads) have been the main culprits thusfar, although there are a few smaller companies I've caught as having sold their email lists as well.
So, should we munge all email addresses beyond recognition in order to "stop" spam? I'd have to say no - as it prevents legitimate users from emailing you. Should we be extremely careful *who* we give our email addresses to, and *what* address we give out to them? Absolutely. Should we complain, *loudly* to companies whom we can catch selling our addresses to spammers, or worse, spamming us themselves. Absolutely.
Just my $.02.
Re:False sense of security (Score:3, Informative)
For those that don't have their own domain or ability to create new E-mail
Re:False sense of security (Score:1)
Re:False sense of security (Score:1)
Re:False sense of security (Score:2)
Its swell that you are able to get rid of so many spammails, but to me, my real concern is eliminating false positives. What do you do to ensure that "valid" emails aren't thrown out with the spam?
Re:False sense of security (Score:1)
two options (Score:2)
2. keep the same email account and filter spam
#1 is a pain as you have to keep updating contacts to your new email address. (spammers seem to have no trouble finding it)
#2 also involves ongoing effort. Every new thing I do to stop spammers seems to be great for the first few weeks (no spam gets through), then one, then one or two. It still filters out 99% though.
Remember though, for every spammer you shoot, there are 5 more ready to step up to take their place!
I don't care (Score:1)
Google and friends show my address in many maillist and FIDO archives for last four or five years. There's 200+ mail users in our domain. I receive more spam and viruses than anyone else.
There's no reason to hide my email anymore. I receive lots of spam anyway. Simple procmail rules stop 90% of it:
You Think You've Got Problems (Score:2)
I use nkvir-rc under procmail to filter them, which leaves only a few dozen bounce messages per day from sites that got viruses with my return address on them. I have amended nkvir-rc [cantrip.org] to work properly with Maildir-style mailboxes. (Probably the
and bug reports too (Score:2)
Easy (Score:2)
- virus-checking (I don't have to wade through almost 600 viruses per month just by using clamav on the server)
- RBL'ing of all the open proxies, open relays and dynamic IP-address-space (~5000 "hits" per month for me - potential spam that never even enters my server)
- and filter the rest of mail via Spamassassin
This way, I get only 5-10 spams per day or so and most of it is pre-filtered into my Spam-folder on the server.
The rest is collected b
New "Mail Returned" tactic (Score:3, Interesting)
This is a major PITA, as whilst I now filter these too it makes it more difficult to see when _my_ real legitimate mail didn't make it somewhere because of a problem.
How long can the spam filters hold all this back !
Use TMDA (Score:2)
I sign up to mailing lists using listname@mydomain.com, then use TMDA to:
This means that I never post to the list from the wrong address, and people on the list can reply to me without being issued a challenge/response mail.
Actual list traffic is sorted into a folder base
Worms are the bane of my existence (Score:2)
Starting this year I started receiving emails to my OSS address, and variations on that address (as anything@me.domain will be delivered to me).
I turned on virus protection at my email provider. That left me with 100 bogus bounced emails a day, mostly to unused email addresses.
I set up rules to reject email sent to common-names@
In a word - Yes (Score:2)
Must I set up disposable email accounts for every list?"
Actually, what I do is have a single disposable email account for all lists, and change it regularly. I suspect that some spammers (probably those who troll WHOIS records) are getting wise to that and starting to email to random@domain.tld (where random is someone's name).
SF.net (Score:1)
But, please, don't blame OSS.
Get a good spam filter (Score:1)
Yep, that's disuaded me from posting too... (Score:2)
Slashdot example: I used to have a visible mail account posted here at /.
I quickly turned that off, though to this day 10% of my spam is to that account, so I've placed it in the /dev/null filter. I've not used it in 4 or more years.
The sad thing is that I did initially get some on-topic private emails...no more.
TMDA and other challenge response mechanisms... (Score:2)
The only problem with C/R mechanisms like this (besides the ~3x
Sue Spammers List (Score:2)
WTF?
-Waldo Jaquith
The answer is yes. (Score:3, Informative)
dodgeit (Score:1)
1. create disposable email service
2. give it away for free
3. ???
4. profit!
solution (Score:1)
The 2nd step should be public evisceration of anyone who sells an email address, or sends email to a purchased email address -- preferably after having been administered enough stimulants that they are unable to lose consciousness until they lose life.
And, yes, that is my tempered, reasoned response. You should see my knee-jerk response....
Run your own mail server! (Score:4, Informative)
USERNAME+%2@yourdomain.com USERNAME
Which will deliver all mail in the form of bob+amazon@hisdomain.com to bob@hisdomain.com. Use a different name on each site, but you don't need to create aliases for each user. When you start getting spam to that address, just add a line *before* the one above of
USERNAME+SOMESITE@yourdomain.com error:nouser User has been removed because of SPAM
I only wish I had started doing this before my primary addresses had been harvested
Can't always run your own server (Score:1)
The only other high-speed residential option is Bell's DSL, which has other issues(such as not being terribly high-speed). A regional ISP does offer residential DSL, but not to my particular area.
And I'm not a business, I've got a limited budget, so I can't afford something more expensive like a business connection. Always-on Internet is an expense I'm willing to deal with, but not by much.
Re:Run your own mail server! (Score:2)
USERNAME+%2@yourdomain.com USERNAME
You don't need this rule. Sendmail defaults to routing foo+bar to foo, unless there's a rule specifically to handle foo+bar.
How I've avoided spam... (Score:4, Interesting)
This is entirely by accident, but I've talked to others who have done the same thing, and they've reported similar results.
About 2 years ago, my wife and I set up our own mail server in-house. While we set up the normal "service@domain" addresses for various things, I also had her create a "spam@ourdomain" address for me - something I could use as a generic address for one-time registration pages, that sort of thing. I've been using my "spam@" address pretty regularly since it's been created. More so as time wore on, when something became pretty apparent:
I was getting almost no spam directed to that address.
Now, I've used that address in a number of places, including on Usenet. I get (perhaps) one or two prices of spam per month. The only thing I can figure is that spammers, or folks putting together mailing lists for spammers, have decided that "spam@" just isn't worth sending email to. Maybe I've just been lucky; maybe my "spam@" address will be inundated with spam tomorrow morning. I don't know. I do know that it's worked well enough for me that if I ever end up managing a mail server for another domain, I'm going to make sure that I have a "spam@" address there as well.
Re:How I've avoided spam... (Score:3, Interesting)
Most people when replying will not even look at the actual email address. They will also be the people most likely to have my email address harvested, (virus, chain mail). The power users will ask or drop the .spam part.
The evil spammers, AFAIK just drop all address containing spam, as logical speaking if you have offuscated your email address your not going to respond to a spam and/or your going
Spam evolution (Score:2)
We, the people fighting spam, might be making stuff worse for ourselves. Super bacteria that are resistant to antibiotics came about as a result of an overuse of antibiotics. Are we doing the same thing to spam? Are we inadvertently accelerating the evolution of spam technology?
Maybe instead of using ever more complex filters and other anti-spam techniques, we should alter our approach to spam before we completely lose the
Re:Spam evolution (Score:1)
Re:Spam evolution (Score:2)
Re:Spam evolution (Score:1)
Re:Spam evolution (Score:1)
SpamBayes for Outlook (Score:1)
easiest disposable addresses (Score:2)
slashdot.12.mbloore@spamgourmet.com will be forwarded to me. any others will get eaten. i don't ever have to go back to the spamgourmet site, but if i do i can do things like see how much mail each of my addresses has received, set up whitelists, and reset counters on existing addresses.
Re:easiest disposable addresses (Score:1)
You would then have to cancel that subaddress manually, but in the meantime he would have added p3n1sgrowtha.9999.mbloore@spamgourmet.com, p3n1sgrowthb.9999.mbloore@spamgourmet.com, etc.
Re:easiest disposable addresses (Score:2)
in any case, it doesn't seem likely that spammers will go to a great deal of trouble to spam a few people who have demonstrated their desire to avoid spam. what would it profit them?
TMDA (Score:2)