www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Cooper <mart...@apache.org>
Subject RE: Mailing lists hiding sender's address?
Date Wed, 14 Apr 2004 21:24:45 GMT
On Wed, 14 Apr 2004, Noel J. Bergman wrote:

> > By obfuscation I obviously mean a transformation which is easy for a
> > human to decipher but difficult for a machine.
>
> I understood.
>
> Based upon testimony from Ron Scelson, I believe that the spam industry has
> grown to about US$1 billion per year.  How much effort do you think is being
> invested if there is that much money at stake?  FWIW, the anti-SPAM industry
> also huge.  There is a 2 - 3 US$Billon vested interest in spam.
>
> > So instead of writing an email address such as jones@foo.bar.com as
> > is, one can write
>
> > 1) j o n e s @ f o o . b a r . c o m   (note the extra spaces)
> > 2) jones at foo . bar . com  (read 'at' as '@')
> > 3) jones AT foo DOT bar DOT com (read 'AT' as '@' and DOT as '.')
>
> This are commonly done and trivially recognizable by a spider.
>
> Remember the amount of money at stake.  If you had no morals, how much would
> you need to be paid to write a parser that would parse text and pick out
> potentially valid e-mail addresses?  There is so much money involved in spam
> that it now seems to have evolved into organized crime.

I have to agree with Noel here. I used to work for a company that sells
anti-spam (or more generally, anti-mail-problem) software. They have a
team of people in Eastern Europe who spend their lives analysing all of
the latest spam, using many different techniques, and providing
sometimes-daily updates to the software, with new schemes to catch the new
schemes the spammers come up with. It seems clear to me that the spammers
must have parallel teams of people who spend their lives coming up with
new ways to circumvent the mechanisms that foiled their old schemes, and
so on and so on.

I'd say that any obfuscation scheme that would be easily interpreted by a
human will not take long for spammers to work around, as soon as it
becomes worth their while. This is especially true for text-based
obfuscation, but even the use of images (e.g. GoDaddy's mechanism to
protect domain registration details) is no longer enough to foil the
determined spammers out there.

--
Martin Cooper


> see: http://spam.weblogsinc.com/entry/5067632429786165/
>      http://www.accountancyage.com/News/1135797
>      http://www.detnews.com/2004/technology/0402/14/technology-63815.htm
>
> > 4) user=jones, domain=foo.bar.com
> > 5) j|o|n|e|s||foo|bar|com (read '||' as '@', remove '|' in the user
> > part and replace '|' as '.' in the domain part)
>
> Those would be less likely to be recognized, unless they became common.  Any
> commonly used pattern would be added to spiders.
>
> > Thus, we can allow users to respond directly to the sender of a post
> > but still make it hard for spammers to mass-collect poster email
> > addresses.
>
> You mean that the user will have to correct every reply address by hand?
> That would just annoy people, and encourage them to participate elsewhere.
> And any pattern that is common enough to be supported by an MUA would be
> added to the next generation of spiders.
>
> > In a more elaborate variation of this theme, one subscribes to a
> > mailing list under the regular email address but post under a fake
> > address such as "jones-autoreply@foo.bar.com".
>
> > Now, if any person tries to write to the visible address
> > "autoreply-jones@foo.bar.com", they get a reply such as
> > ...
> >    please redirect your message to:
> >       j o n e s @ f o o . b a r . c o m  (note the extra spaces)
> > ...
>
> See www.tmda.net.  There is already a TMDA mechanism that works by bouncing
> the firsrt post from a sender and requiring manual response.  Spammers can
> handle them, too, if they want, although the theory is that spammers don't
> leave mailboxes around for long to receive and process such bounces.  On the
> other hand, a lot of people receive TMDA bounces and just say that it isn't
> worth communicating with the person.
>
> Such strategies are more bothersome for legitimate mail users than spammers.
>
> 	--- Noel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: community-unsubscribe@apache.org
> For additional commands, e-mail: community-help@apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message