roguemoko at roguemoko at
Fri Jan 30 10:58:53 CET 2009

Stroller wrote:
> On 28 Jan 2009, at 09:56, Jan Henkins wrote:
>> ...
>> There is another situation that I find to be a worry: In order to send
>> mail to this list you have to have a registered address.
>> ... but it could have been anybody else who have sent an email to the
>> list. Looking in the list archives I can see that not enough is  
>> being done
>> to obscure sender addresses. Currently the only thing that is being  
>> done
>> is to replace the "@" with a "<space>at<space>". So "dorian at"
>> would become "dorian at". Sweet! Armed with wget to leech  
>> all the
>> archives, a few text tools (grep, Perl, Python, etc) and I can build  
>> up a
>> list of addresses (almost 100% confirmed working addresses) that  
>> could be
>> used for various spamming activities. A list of active addresses is  
>> worth
>> money too! ;-) So what I suggest is that the list administrators  
>> obfuscate
>> list members' addresses even more. MailMan's Pipermail archiver can do
>> this if properly set up.
> Surely the traditional mailing list problem remains - subscribers to  
> the list will still receive messages with the full from address  
> intact. Or do you intend to obfuscate that, too? Surely a spammer can  
> just subscribe to the list to obtain all our addresses?
> Obfuscating email addresses on the web archive is, IMO, no substitute  
> for sensible policies (greylisting, RBL, SFF?) at your incoming mail  
> server.
> Stroller.

I think all are good ideas so far, with the problem at hand, SPF deals 
specifically with the relaying and reception of forged emails. Although 
the most relevant solution, there's still a lot of people not using it 
so success varies and it also forces some requirements on the users of 
the domain. Being 'open' pioneers, it's be nice to have.

 From experience, greylisting, helo and RBL rejections are equal to, if 
not at some points greater than, the amount of flagged spam I recieve. 
They're also the kind of techniques that subtly force other admins to 
fix their servers. Any issues I've had have been outweighed by the benefit.

I see the web side of things more about being considerate, not so much 
an obligation. If it was a forum I'd care but I completely agree with 
Stroller. Short of removing the addresses from the emails, I can't 
imagine much else you could do (and I'm not suggesting that btw ;).


More information about the community mailing list