Re: [chairs] SPAM

["Eve L. Maler" <Eve.Maler@Sun.COM>]

Why not just use a mechanistic, but variable, means of disguising the 
email address the way Slashdot does?  An example appears here:

   http://slashdot.org/comments.pl?sid=103884&cid=8848779

The email link shows up as:

   mailto:heironymouscoward%40yah%5B%20%5Dcom%20%5B'oo.'%20in%20gap%5D

A human can decode this as necessary, but a machine has a much tougher 
time.  Here's another:

   http://slashdot.org/comments.pl?sid=103883&cid=8848358

The email link shows up as:

   mailto:dgorman%40nosPaM.arete.cc

Etc.  I believe the engine behind Slashdot is open-source, so maybe that 
(or part of it, anyway) can be used.  Though I wonder about its 
effectiveness if a spammer can locate all the disguise techniques in a 
file somewhere...

	Eve

Karl F. Best wrote:

> Chairs:
> 
> I'll open another can of worms and jump into this :-)
> 
> I agree with you wholeheartedly, Duane, that this is a problem. I'll bet 
> that I get more spam than you do (few hundred a day). And I have no 
> doubt that all this is because of spammers harvesting addresses from our 
> list archives.
> 
> Of course a knee-jerk reaction would be to close off the archives so 
> that nobody can get to them, but given that the OASIS philosophy is 
> openness and accountability we need to keep things open and accessible.
> 
> There seems to be two possible solutions: either disguise the addresses 
> stored in the archives, or to somehow block access so that only a human 
> can get through. (I don't think that we want to go down the path of an 
> offensive strategy such as what Duane suggests.)
> 
> Lacking a foolproof Turing test to allow only human access to the 
> archives, I think the best and easiest solution will probably be to 
> disguise the email addresses attached to each message so that whatever 
> is harvested in unusable by spammers. The disguise would have to be such 
> that the harvester would not be able to accurately or easily recreate 
> the address. Obviously substituting the word "at" for the @ sign isn't 
> going to fool anybody for very long. But whatever we do may not disguise 
> the actual identity of the sender; we need to know who sent the message.
> 
> A final question is whether it is necessary for a person to be able to 
> respond to a message he found in the archives; i.e. does the guy on the 
> street need to be able to figure out how to respond to Duane when he 
> reads something thet Duane wrote? Perhaps this requirement is not so 
> important, as TC members already know how to respond to the TC list, and 
> the guy on the street is already given instructions for sending a 
> comment to the TC.
> 
> If the above is acceptable then perhaps I could suggest (and please 
> note, this is just a strawman for discussion, not an official OASIS 
> proposal) that we delete some portion of the address after the @ sign. 
> We could delete all of it, leaving just "duane@", for example, but then 
> we loose any idea about what company Duane was at, whether Yellow Dragon 
> or Adobe (and it may be important for IPR reasons to know). So maybe we 
> could leave the first couple of characters after the @ sign, resulting 
> in "duane@ye" or "duane@ad". If we left three characters then we'd get 
> "sun" and "ibm" etc. which would make it possible to reconstruct the 
> address. But then again with only two we would get "hp".
> 
> So, any comments on whether it should be a requirement for a human to 
> still be able to figure out the email address? And, if that's not a 
> requirement, what do you think of my above suggestion?
> 
> -Karl
> 
> p.s. Duane, I hope you don't mind me using you as the example :-)
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com