[ale] Webcrawlers can harvest ALE Archive E-mail Addresses

Fri Feb 11 00:49:13 EST 2005

On Fri, 2005-02-11 at 04:35 +0000, Greg Sabino Mullane wrote:
> Jim Popovitch wrote:
> > Ahhh, the signs of newbieness in spring.  ;-)
> 
> Ummm..yeah, whatever. Ad hominem attacks seem out of place here,

LOL!  Out of place? You really MUST be new here.  :-)

> especially such a non-relevant one.

Isn't that an ad hominem attack?  See, I just have a tougher skin then
you.  I'm :-)'ing at this.

> > Dude, things that can be obfuscated can also be un-obfuscated.  Again,
> > there is NOTHING (short of elimination) that you can do to prevent an
> > email address, on a public archive, from being harvested.
> 
> So that means nothing should be done? 

No.  That means it's not something a few people on a Linux mailinglist
are going to solve.  It's a MUCH bigger issue and others are actively
working on it.  You, starting now, are already behind the Microsoft team
in implementing a solution (not to imply I favor theirs).

> You do what you can, now what you are sure will be 100% effective. 

For my personal email I let Yahoo! handle it.  They do a near perfect
job.  Every now and then one or two get through, but it doesn't bother
me.  Google does a good job too.  The company I work for uses
MessageLabs, they too do a quality job.  The mailinglists that I host
use SpamAssassin, ClamAV, and a few select RBLs.  Due to work, testing,
and personal emails, every day I get a close to 1000 emails (no, I don't
read them all) through 3 distinctly different systems.  I am 100%
satisfied with the spam solutions in place.

> Just because a spammer *may* be able (and willing) to de-obfuscate a 
> page does not mean that they all will every time. 

Only one has to do it one time.  After that the cat is out of the bag
and your email address is sold.  Harvesters don't work to peddle their
own products, they work to peddle yours.

> Hence, instituting this is very likely to reduce your total amount of
> spam. 

See comment above, I don't get spam, or rather there are systems in
place that catch it.  Today Yahoo! caught close to 400.  Yesterday it
was about 190.

> That's the goal of all spam fighting measures.  Nobody is arguing that 
> obfuscation is a totally effective solution that can never be thwarted.

True. But one needs to address the buck-for-benefit factor before truly
being considered a valid contributer on this topic.  What you are
proposing is a half-step with a steep cost in time and maintenance.

> A simple obfuscation would certainly help the original poster out,
> because their email is only unobfuscated in the ale archives, and a
> "bare" email address is going to receive more spam than an obfuscated
> one.

LOL!.  You just don't get it.  The email is in more places than the ALE
archive.  NO ONE, repeat NO ONE, has yet to prove that email addresses
in the ALE archive are in fact harvested from the ALE archive.  There
are just TOO many other ways, most much easier, to get email addresses.
Look no further than the recent indictment of an AOL employee for
selling email addresses.  You would be a fool to not realize that the
same thing sort of fraudulent behavior has already been happening inside
every other ISP.

The problem is not that email addresses are in public, nor that they can
be sniffed, nor that they can be sold, nor that they can be brute
forced.  The problem is in mailservers not being able to determine the
validity of the sender.

-Jim P.