[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [chairs] SPAM
Karl, Replacing the address with the OASIS # satisfies your requirement. It's basically impossible since there is no correlation. The only way back is if you have the OASIS membership / number xref list. My guess is you could setup a simple Java program or XSLT script to do this replacement stripping... DW. ----- Original Message ----- From: "Karl F. Best" <karl.best@oasis-open.org> To: "Eve L. Maler" <Eve.Maler@Sun.COM> Cc: <chairs@lists.oasis-open.org> Sent: Tuesday, April 13, 2004 12:10 PM Subject: Re: [chairs] SPAM > Yeah, we thought about something like that, i.e. replacement of the > address with some sort of code. But in order to be effective it must be > costly (i.e. impossible for a machine, requires a human) to re-convert > large quantities of addresses, but simple for a human to re-convert a > single address. > > From the first Slashdot example, at least, it would be simple for a > human to look at the address and create a simple rule for how to > recreate the original. > > -Karl > > p.s. <chuckle> the rotating banner at the top of the Slashdot page when > I viewed it was an O'Reilly ad for a book on creating spiders and > bots... </> > > > > > Eve L. Maler wrote: > > Why not just use a mechanistic, but variable, means of disguising the > > email address the way Slashdot does? An example appears here: > > > > http://slashdot.org/comments.pl?sid=103884&cid=8848779 > > > > The email link shows up as: > > > > mailto:heironymouscoward%40yah%5B%20%5Dcom%20%5B'oo.'%20in%20gap%5D > > > > A human can decode this as necessary, but a machine has a much tougher > > time. Here's another: > > > > http://slashdot.org/comments.pl?sid=103883&cid=8848358 > > > > The email link shows up as: > > > > mailto:dgorman%40nosPaM.arete.cc > > > > Etc. I believe the engine behind Slashdot is open-source, so maybe that > > (or part of it, anyway) can be used. Though I wonder about its > > effectiveness if a spammer can locate all the disguise techniques in a > > file somewhere... > > > > Eve > > > > Karl F. Best wrote: > > > >> Chairs: > >> > >> I'll open another can of worms and jump into this :-) > >> > >> I agree with you wholeheartedly, Duane, that this is a problem. I'll > >> bet that I get more spam than you do (few hundred a day). And I have > >> no doubt that all this is because of spammers harvesting addresses > >> from our list archives. > >> > >> Of course a knee-jerk reaction would be to close off the archives so > >> that nobody can get to them, but given that the OASIS philosophy is > >> openness and accountability we need to keep things open and accessible. > >> > >> There seems to be two possible solutions: either disguise the > >> addresses stored in the archives, or to somehow block access so that > >> only a human can get through. (I don't think that we want to go down > >> the path of an offensive strategy such as what Duane suggests.) > >> > >> Lacking a foolproof Turing test to allow only human access to the > >> archives, I think the best and easiest solution will probably be to > >> disguise the email addresses attached to each message so that whatever > >> is harvested in unusable by spammers. The disguise would have to be > >> such that the harvester would not be able to accurately or easily > >> recreate the address. Obviously substituting the word "at" for the @ > >> sign isn't going to fool anybody for very long. But whatever we do may > >> not disguise the actual identity of the sender; we need to know who > >> sent the message. > >> > >> A final question is whether it is necessary for a person to be able to > >> respond to a message he found in the archives; i.e. does the guy on > >> the street need to be able to figure out how to respond to Duane when > >> he reads something thet Duane wrote? Perhaps this requirement is not > >> so important, as TC members already know how to respond to the TC > >> list, and the guy on the street is already given instructions for > >> sending a comment to the TC. > >> > >> If the above is acceptable then perhaps I could suggest (and please > >> note, this is just a strawman for discussion, not an official OASIS > >> proposal) that we delete some portion of the address after the @ sign. > >> We could delete all of it, leaving just "duane@", for example, but > >> then we loose any idea about what company Duane was at, whether Yellow > >> Dragon or Adobe (and it may be important for IPR reasons to know). So > >> maybe we could leave the first couple of characters after the @ sign, > >> resulting in "duane@ye" or "duane@ad". If we left three characters > >> then we'd get "sun" and "ibm" etc. which would make it possible to > >> reconstruct the address. But then again with only two we would get "hp". > >> > >> So, any comments on whether it should be a requirement for a human to > >> still be able to figure out the email address? And, if that's not a > >> requirement, what do you think of my above suggestion? > >> > >> -Karl > >> > >> p.s. Duane, I hope you don't mind me using you as the example :-) > > > > > -- > ================================================================= > Karl F. Best > Vice President, OASIS > office +1 978.667.5115 x206 mobile +1 978.761.1648 > karl.best@oasis-open.org http://www.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]