Re: [chairs] SPAM

["David RR Webber" <david@drrw.info>]

Karl,

What I was thinking is dumping a simple XML file out with
email address + sequence number - and reading that into
memory as a part of the archive generator - and drive
the search/replace that way.

Simple thing to update that XML file when a member joins
or changes email address by re-running that dump to
the XML flatfile.

DW.

----- Original Message ----- 
From: "Karl F. Best" <karl.best@oasis-open.org>
To: "David RR Webber" <david@drrw.info>
Cc: "Eve L. Maler" <Eve.Maler@Sun.COM>; <chairs@lists.oasis-open.org>
Sent: Tuesday, April 13, 2004 12:20 PM
Subject: Re: [chairs] SPAM


> David:
>
> I like the idea. It would require a bit of extra processing for each
> message to match the sender with the Kavi database. The big problem,
> though, is that we don't have membership numbers; the "key" or unique
> identifier in the database is the email address.
>
> But this might have some merit anyway. We'll think about what might be
> possible.
>
> -Karl
>
>
> David RR Webber wrote:
> > Karl,
> >
> > Replacing the address with the OASIS # satisfies your
> > requirement.  It's basically impossible since there is
> > no correlation.
> >
> > The only way back is if you have the OASIS membership
> > / number xref list.
> >
> > My guess is you could setup a simple Java program or
> > XSLT script to do this replacement stripping...
> >
> > DW.
> >
> > ----- Original Message ----- 
> > From: "Karl F. Best" <karl.best@oasis-open.org>
> > To: "Eve L. Maler" <Eve.Maler@Sun.COM>
> > Cc: <chairs@lists.oasis-open.org>
> > Sent: Tuesday, April 13, 2004 12:10 PM
> > Subject: Re: [chairs] SPAM
> >
> >
> >
> >>Yeah, we thought about something like that, i.e. replacement of the
> >>address with some sort of code. But in order to be effective it must be
> >>costly (i.e. impossible for a machine, requires a human) to re-convert
> >>large quantities of addresses, but simple for a human to re-convert a
> >>single address.
> >>
> >> From the first Slashdot example, at least, it would be simple for a
> >>human to look at the address and create a simple rule for how to
> >>recreate the original.
> >>
> >>-Karl
> >>
> >>p.s. <chuckle> the rotating banner at the top of the Slashdot page when
> >>I viewed it was an O'Reilly ad for a book on creating spiders and
> >>bots... </>
> >>
> >>
> >>
> >>
> >>Eve L. Maler wrote:
> >>
> >>>Why not just use a mechanistic, but variable, means of disguising the
> >>>email address the way Slashdot does?  An example appears here:
> >>>
> >>>  http://slashdot.org/comments.pl?sid=103884&cid=8848779
> >>>
> >>>The email link shows up as:
> >>>
> >>>  mailto:heironymouscoward%40yah%5B%20%5Dcom%20%5B'oo.'%20in%20gap%5D
> >>>
> >>>A human can decode this as necessary, but a machine has a much tougher
> >>>time.  Here's another:
> >>>
> >>>  http://slashdot.org/comments.pl?sid=103883&cid=8848358
> >>>
> >>>The email link shows up as:
> >>>
> >>>  mailto:dgorman%40nosPaM.arete.cc
> >>>
> >>>Etc.  I believe the engine behind Slashdot is open-source, so maybe
that
> >>>(or part of it, anyway) can be used.  Though I wonder about its
> >>>effectiveness if a spammer can locate all the disguise techniques in a
> >>>file somewhere...
> >>>
> >>>    Eve
> >>>
> >>>Karl F. Best wrote:
> >>>
> >>>
> >>>>Chairs:
> >>>>
> >>>>I'll open another can of worms and jump into this :-)
> >>>>
> >>>>I agree with you wholeheartedly, Duane, that this is a problem. I'll
> >>>>bet that I get more spam than you do (few hundred a day). And I have
> >>>>no doubt that all this is because of spammers harvesting addresses
> >>>>from our list archives.
> >>>>
> >>>>Of course a knee-jerk reaction would be to close off the archives so
> >>>>that nobody can get to them, but given that the OASIS philosophy is
> >>>>openness and accountability we need to keep things open and
accessible.
> >>>>
> >>>>There seems to be two possible solutions: either disguise the
> >>>>addresses stored in the archives, or to somehow block access so that
> >>>>only a human can get through. (I don't think that we want to go down
> >>>>the path of an offensive strategy such as what Duane suggests.)
> >>>>
> >>>>Lacking a foolproof Turing test to allow only human access to the
> >>>>archives, I think the best and easiest solution will probably be to
> >>>>disguise the email addresses attached to each message so that whatever
> >>>>is harvested in unusable by spammers. The disguise would have to be
> >>>>such that the harvester would not be able to accurately or easily
> >>>>recreate the address. Obviously substituting the word "at" for the @
> >>>>sign isn't going to fool anybody for very long. But whatever we do may
> >>>>not disguise the actual identity of the sender; we need to know who
> >>>>sent the message.
> >>>>
> >>>>A final question is whether it is necessary for a person to be able to
> >>>>respond to a message he found in the archives; i.e. does the guy on
> >>>>the street need to be able to figure out how to respond to Duane when
> >>>>he reads something thet Duane wrote? Perhaps this requirement is not
> >>>>so important, as TC members already know how to respond to the TC
> >>>>list, and the guy on the street is already given instructions for
> >>>>sending a comment to the TC.
> >>>>
> >>>>If the above is acceptable then perhaps I could suggest (and please
> >>>>note, this is just a strawman for discussion, not an official OASIS
> >>>>proposal) that we delete some portion of the address after the @ sign.
> >>>>We could delete all of it, leaving just "duane@", for example, but
> >>>>then we loose any idea about what company Duane was at, whether Yellow
> >>>>Dragon or Adobe (and it may be important for IPR reasons to know). So
> >>>>maybe we could leave the first couple of characters after the @ sign,
> >>>>resulting in "duane@ye" or "duane@ad". If we left three characters
> >>>>then we'd get "sun" and "ibm" etc. which would make it possible to
> >>>>reconstruct the address. But then again with only two we would get
> >>>
> > "hp".
> >
> >>>>So, any comments on whether it should be a requirement for a human to
> >>>>still be able to figure out the email address? And, if that's not a
> >>>>requirement, what do you think of my above suggestion?
> >>>>
> >>>>-Karl
> >>>>
> >>>>p.s. Duane, I hope you don't mind me using you as the example :-)
> >>>
> >>
> >>-- 
> >>=================================================================
> >>Karl F. Best
> >>Vice President, OASIS
> >>office  +1 978.667.5115 x206     mobile +1 978.761.1648
> >>karl.best@oasis-open.org      http://www.oasis-open.org
> >>
> >>
> >
> >
> >
> >
>
>
> -- 
> =================================================================
> Karl F. Best
> Vice President, OASIS
> office  +1 978.667.5115 x206     mobile +1 978.761.1648
> karl.best@oasis-open.org      http://www.oasis-open.org
>
>