OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

chairs message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [chairs] SPAM


Karl,

Brilliant idea.

Delete the address after the @ sign - and replace it
with a string - say '12345.com' where that matches
that persons OASIS membership # - and that
allows us to maintain an audit trail as needed.

DW.

----- Original Message ----- 
From: "Karl F. Best" <karl.best@oasis-open.org>
To: "Duane Nickull" <dnickull@adobe.com>; <chairs@lists.oasis-open.org>
Sent: Tuesday, April 13, 2004 11:41 AM
Subject: Re: [chairs] SPAM


> Chairs:
>
> I'll open another can of worms and jump into this :-)
>
> I agree with you wholeheartedly, Duane, that this is a problem. I'll bet
> that I get more spam than you do (few hundred a day). And I have no
> doubt that all this is because of spammers harvesting addresses from our
> list archives.
>
> Of course a knee-jerk reaction would be to close off the archives so
> that nobody can get to them, but given that the OASIS philosophy is
> openness and accountability we need to keep things open and accessible.
>
> There seems to be two possible solutions: either disguise the addresses
> stored in the archives, or to somehow block access so that only a human
> can get through. (I don't think that we want to go down the path of an
> offensive strategy such as what Duane suggests.)
>
> Lacking a foolproof Turing test to allow only human access to the
> archives, I think the best and easiest solution will probably be to
> disguise the email addresses attached to each message so that whatever
> is harvested in unusable by spammers. The disguise would have to be such
> that the harvester would not be able to accurately or easily recreate
> the address. Obviously substituting the word "at" for the @ sign isn't
> going to fool anybody for very long. But whatever we do may not disguise
> the actual identity of the sender; we need to know who sent the message.
>
> A final question is whether it is necessary for a person to be able to
> respond to a message he found in the archives; i.e. does the guy on the
> street need to be able to figure out how to respond to Duane when he
> reads something thet Duane wrote? Perhaps this requirement is not so
> important, as TC members already know how to respond to the TC list, and
> the guy on the street is already given instructions for sending a
> comment to the TC.
>
> If the above is acceptable then perhaps I could suggest (and please
> note, this is just a strawman for discussion, not an official OASIS
> proposal) that we delete some portion of the address after the @ sign.
> We could delete all of it, leaving just "duane@", for example, but then
> we loose any idea about what company Duane was at, whether Yellow Dragon
> or Adobe (and it may be important for IPR reasons to know). So maybe we
> could leave the first couple of characters after the @ sign, resulting
> in "duane@ye" or "duane@ad". If we left three characters then we'd get
> "sun" and "ibm" etc. which would make it possible to reconstruct the
> address. But then again with only two we would get "hp".
>
> So, any comments on whether it should be a requirement for a human to
> still be able to figure out the email address? And, if that's not a
> requirement, what do you think of my above suggestion?
>
> -Karl
>
> p.s. Duane, I hope you don't mind me using you as the example :-)
>
>
>
>
>
> Duane Nickull wrote:
> > I an getting ruthlessly spammed and every day it increases.
> >
> > After careful analysis, I have deduced that my email address is most
> > often harvested from OASIS list archives.
> > I would favor setting up a system that makes it harder for spammers to
> > harvest email addresses from this list by confusing the heuristic
filters.
> >
> > Others have done something like this to fight it
> >
> > dnickull(at)adobe.com - replace the (at) with the "@" sign to email.
> >
> > but this is too easy to program around.
> >
> > I couldn't sleep last night and came up with a more devious plot to foil
> > the spammers.  What if we adopted both a defensive and offensive
> > strategy?  First of all, if we defensively replaced all the email
> > archives email addresses with something that confused the spam
> > harvesters like
> >
> > "dnickull" + [some_randomness_here] + domainname + {something else to
> > hide the domain suffix - .com, .org, .gov}
> >
> > that would potentially cut down email addresses getting harvested.
> >
> > Second, as an offensive weapon, make some dynamic pages that either
> > detect patterns in the log files of a bot looking for email addresses
> > (such as a repeated get() for more than 10 archive pages within a
> > certain timeframe) and it would generate hundreds of email addresses
> > that are invisible to the human eye, but would be based on the URL the
> > get originated from.
> > For example, if I send a request to get the get() the archives for OASIS
> > from IP address 216.154.143.253, the page would generate 100's of hidden
> > email addresses, all   @216.154.143.253.  The IP address is a readily
> > available environmental variable within an HTTP request scenario.
> >
> > To the casual observer, there would be no difference in the page display
> > but to a spam email harvester, this would add 100's (perhaps 1,000's) of
> > emails that would end up with the spam harvester being the victim of a
> > their own spam.
> >
> > This could be both funny and help solve the problem.  This would also
> > not be to hard IMO to implement.
> >
> > Thoughts?
> >
> > Duane
> >
>
>
> -- 
> =================================================================
> Karl F. Best
> Vice President, OASIS
> office  +1 978.667.5115 x206     mobile +1 978.761.1648
> karl.best@oasis-open.org      http://www.oasis-open.org
>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]