Re: [chairs] SPAM

["Karl F. Best" <karl.best@oasis-open.org>]

Yeah, we thought about something like that, i.e. replacement of the 
address with some sort of code. But in order to be effective it must be 
costly (i.e. impossible for a machine, requires a human) to re-convert 
large quantities of addresses, but simple for a human to re-convert a 
single address.

 From the first Slashdot example, at least, it would be simple for a 
human to look at the address and create a simple rule for how to 
recreate the original.

-Karl

p.s. <chuckle> the rotating banner at the top of the Slashdot page when 
I viewed it was an O'Reilly ad for a book on creating spiders and 
bots... </>




Eve L. Maler wrote:
> Why not just use a mechanistic, but variable, means of disguising the 
> email address the way Slashdot does?  An example appears here:
> 
>   http://slashdot.org/comments.pl?sid=103884&cid=8848779
> 
> The email link shows up as:
> 
>   mailto:heironymouscoward%40yah%5B%20%5Dcom%20%5B'oo.'%20in%20gap%5D
> 
> A human can decode this as necessary, but a machine has a much tougher 
> time.  Here's another:
> 
>   http://slashdot.org/comments.pl?sid=103883&cid=8848358
> 
> The email link shows up as:
> 
>   mailto:dgorman%40nosPaM.arete.cc
> 
> Etc.  I believe the engine behind Slashdot is open-source, so maybe that 
> (or part of it, anyway) can be used.  Though I wonder about its 
> effectiveness if a spammer can locate all the disguise techniques in a 
> file somewhere...
> 
>     Eve
> 
> Karl F. Best wrote:
> 
>> Chairs:
>>
>> I'll open another can of worms and jump into this :-)
>>
>> I agree with you wholeheartedly, Duane, that this is a problem. I'll 
>> bet that I get more spam than you do (few hundred a day). And I have 
>> no doubt that all this is because of spammers harvesting addresses 
>> from our list archives.
>>
>> Of course a knee-jerk reaction would be to close off the archives so 
>> that nobody can get to them, but given that the OASIS philosophy is 
>> openness and accountability we need to keep things open and accessible.
>>
>> There seems to be two possible solutions: either disguise the 
>> addresses stored in the archives, or to somehow block access so that 
>> only a human can get through. (I don't think that we want to go down 
>> the path of an offensive strategy such as what Duane suggests.)
>>
>> Lacking a foolproof Turing test to allow only human access to the 
>> archives, I think the best and easiest solution will probably be to 
>> disguise the email addresses attached to each message so that whatever 
>> is harvested in unusable by spammers. The disguise would have to be 
>> such that the harvester would not be able to accurately or easily 
>> recreate the address. Obviously substituting the word "at" for the @ 
>> sign isn't going to fool anybody for very long. But whatever we do may 
>> not disguise the actual identity of the sender; we need to know who 
>> sent the message.
>>
>> A final question is whether it is necessary for a person to be able to 
>> respond to a message he found in the archives; i.e. does the guy on 
>> the street need to be able to figure out how to respond to Duane when 
>> he reads something thet Duane wrote? Perhaps this requirement is not 
>> so important, as TC members already know how to respond to the TC 
>> list, and the guy on the street is already given instructions for 
>> sending a comment to the TC.
>>
>> If the above is acceptable then perhaps I could suggest (and please 
>> note, this is just a strawman for discussion, not an official OASIS 
>> proposal) that we delete some portion of the address after the @ sign. 
>> We could delete all of it, leaving just "duane@", for example, but 
>> then we loose any idea about what company Duane was at, whether Yellow 
>> Dragon or Adobe (and it may be important for IPR reasons to know). So 
>> maybe we could leave the first couple of characters after the @ sign, 
>> resulting in "duane@ye" or "duane@ad". If we left three characters 
>> then we'd get "sun" and "ibm" etc. which would make it possible to 
>> reconstruct the address. But then again with only two we would get "hp".
>>
>> So, any comments on whether it should be a requirement for a human to 
>> still be able to figure out the email address? And, if that's not a 
>> requirement, what do you think of my above suggestion?
>>
>> -Karl
>>
>> p.s. Duane, I hope you don't mind me using you as the example :-)
> 


-- 
=================================================================
Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206     mobile +1 978.761.1648
karl.best@oasis-open.org      http://www.oasis-open.org