On Tue, Jan 13, 2009 at 05:19:01PM -0800, JC Dill wrote:
RSK wrote:
3. But it's utterly pointless to obfuscate addresses in such archives: spammers have long since set up quite efficient methods of harvesting any address used on any public mailng list or Usenet newsgroup. [1] The only people meaningfully impeded by these futile attempts at obfuscation are legitimate senders.
Rich, I know that spammers can get an address by subscribing and scarfing the emails that are used to post to the list. I just don't want to see it be made any easier for them by idiots making their own public web archives (when this list already has a web archive) and then not obfuscating the email addresses. As you and others have also noted, that's just plain rude.
To be clear: I think setting up an unauthorized public archive of a mailing list, with or without email addresses, is rude. (I _might_ consider rare exceptions, such as very old mailing lists of historical interest whose owners are no longer around, but that's clearly not the case here.) List-owners should always be asked for their permission. But as far as making it easier for spammers: we're talking about the difference between lifting their pinky finger half a millimeter and grinding out, with tortuous effort, an entire millimeter. "Professional" address harvesters don't need and largely don't care about web-based archives: it's much simpler, easier and faster for them to go directly to the source and receive (so to speak) real-time feeds of valid addresses, which, as a bonus, come with "last time known-valid" data as well. Those feeds come from list subscriptions, NNTP feeds, malware infections, and other sources. So any address which: - is used on any public mailing list - is used in any Usenet newsgroup - is used to send mail to anyone who reads it on a Windows box - is used to send mail to any mail server running on a Windows box is going to be harvested -- it's only a question of when, and from there, it's only a question of when spammers will start trying to deliver to it. (Which probably means "shortly after they buy the latest address collection from the harvesters". The increasing division of labor and sophistication of the abuse industry has led to niche roles, i.e., it's cheaper and easier for spammers to just buy addresses than to do their own harvesting.) The best working assumption to make is that any email address that's actually used is going to be a target, and plan defenses accordingly. Once again, security by obscurity does not work -- which is why there is zero point in obfuscating addresses in list archives. ---Rsk