Mailing-List: contact community-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: community@apache.org
Message-Id: <6.0.3.0.0.20040414202651.0316cde8@mail.qos.ch>
Date: Wed, 14 Apr 2004 20:42:34 +0200
To: community@apache.org
From: Ceki =?iso-8859-1?Q?G=FClc=FC?= <noreply@qos.ch>
Subject: RE: Mailing lists hiding sender's address?
In-Reply-To: <NBBBJGEAGJAKLIDBKJOPOEDNILAB.noel@devtech.com>
References: <6.0.3.0.0.20040413205942.01df8ec0@mail.qos.ch>
 <NBBBJGEAGJAKLIDBKJOPOEDNILAB.noel@devtech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable

At 05:25 PM 4/14/2004, you wrote:
> > Do we have any mechanism for hiding or otherwise obfuscating
> > the email address of senders to our list?
>
>No.  The raw mbox archives show everything, as do the eyebrowse archives.

Thanks for the info.

>So why not obfuscate?  Even if we were to do so, any spammer could=
 subscribe
>to our lists, and simply harvest sender addresses, unless we hide them and
>enforce reply-to-list behavior.  So at least one question is whether the
>effort is worth the payoff.
>
>         --- Noel

By obfuscation I obviously mean a transformation which is easy for a
human to decipher but difficult for a machine.

Two things that machines are unable to do as well as human beings are
image recognition and language understanding.

So instead of writing an email address such as jones@foo.bar.com as
is, one can write

1) j o n e s @ f o o . b a r . c o m   (note the extra spaces)
2) jones at foo . bar . com  (read 'at' as '@')
3) jones AT foo DOT bar DOT com (read 'AT' as '@' and DOT as '.')
4) user=3Djones, domain=3Dfoo.bar.com
5) j|o|n|e|s||foo|bar|com (read '||' as '@', remove '|' in the user
part and replace '|' as '.' in the domain part)

The number of variations are quite high.

Thus, we can allow users to respond directly to the sender of a post
but still make it hard for spammers to mass-collect poster email
addresses.

In a more elaborate variation of this theme, one subscribes to a
mailing list under the regular email address but post under a fake
address such as "jones-autoreply@foo.bar.com".  This is possible if
the autoreply address is added as an allowed alias to the list. The
list moderator can do this, so can the user herself! See 2.4 Adding
subscriber aliases in the EZLM manual at
http://www.ezmlm.org/ezman-0.32/ezman2.html

Now, if any person tries to write to the visible address
"autoreply-jones@foo.bar.com", they get a reply such as

    Hello,

    This is an automatic email responder acting on behalf of Mr. Jones.

    You have recently sent an email to one of his autoreplying email
    addresses.  If you are a real person trying to reach Mr. Jones, then
    please redirect your message to:

      j o n e s @ f o o . b a r . c o m  (note the extra spaces)

    The above address is the only one that is valid. His other email
    addresses receive way too much rubbish forcing him to resort to this
    rather aggressive filtering method. If you are a real person trying to
    conduct legitimate correspondence, please accept our apologies for
    this impersonal response. Thank you for your understanding.

    A copy of your original message is included below:

    *********************************************************************
    COPY OF ORIGINAL MESSAGE


I have implemented such an autoresponder using procmail. I am
including it for your convenience.

# Start .procmail file for jones-autoreply@foo.bar.com
# ****** WARNING * WARNING * WARNING * WARNING *
## I am not really experienced with procmail. This works for me
## but maybe buggy, or even very buggy.

PMDIR=3D$HOME/Procmail
LOGFILE=3D$PMDIR/pmlog

# To insert a blank line between each message's log entry,
# uncomment next two lines (this is helpful for debugging)
LOG=3D"
"
VERBOSE=3Dyes

DATE=3D`date +%Y-%m-%d_%H_%M_%S`
TMP_RESP=3D$PMDIR/temp/response-$DATE

# Reply to sender of message to "autoreply"  stating that
# Include original message watch for user loops
:0 w
* ^TO_.*jones-autoreply@foo.bar.com
* !^X-Loop: qos.ch
* !^FROM_DAEMON
{
         # Start a Redirection lock
         LOCKFILE =3D $PMDIR/redirect.lock

         :0 chw
         | formail  -r -A"Precedence: junk" -A"X-Loop: foo.bar" -A"From:=20
bounce@foo.bar.com"> $TMP_RESP; cat $HOME/.redirect.msg >> $TMP_RESP;


         :0 cw
         | formail -k -X"To:" -X"Subject:" -X"From:" -X"Date:"|head -512 >>=
=20
$TMP_RESP

         :0 hw
         | cat > /dev/null; /usr/sbin/sendmail -oi -t < $TMP_RESP

         # Release the lock
         LOCKFILE
}


# On mails coming from the mail daemon, check if it
# is a failed reply to a previous redirect message
# Most spammers use invalid email addresses...
:0
* ^FROM_DAEMON
{
   # Check the body
   :0B
   * ^X-Loop: foo\.bar\.com
   * ^Precedence: junk
   * ^A copy of your original message is included below:
   /dev/null
}

# End of .procmail file


In case you cannot add a fake Unix user, ask your system admin to
create an alias that redirects to your real email address. In your
.procmailrc you can check whether the message is for you or for your
autoreply alias. If it is for your autoreply alias, just reply as
shown above.

In summary, the above technique should work provided that you can use
procmail and have an autoreply alias redirected to your real account.
There are redirection services which do just that. Thus, I think all
you need is procmail.

I am using the technique described here to send this message.

Using the autoresponder technique described here, one can remain
invisible to spammers while still be able to conduct legitimate
correspondence.

Your comments are welcome.


--=20
Ceki G=FClc=FC

      For log4j documentation consider "The complete log4j manual"
      ISBN: 2970036908 http://www.qos.ch/shop/products/clm_t.jsp


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org