On 04/06/2023 21:48, Brian E Carpenter wrote:
On 04-Jun-23 22:18, Alessandro Vesely wrote:
On Sun 04/Jun/2023 03:41:07 +0200 Brian E Carpenter wrote:
On 04-Jun-23 11:45, John R Levine wrote:
but we're in the US. Do we have a policy on third parties using our
data
for their own purposes?
Is it realistic to even have such a policy? Do we think the serious
spammers would either know or care?
Did you and John mean "we in the US" or "we at IETF"?
I can't speak for John, but I meant "we at the IETF". And answering my own
question, of course the spammers simply do not care whether they are
allowed
to use our data or not.
I didn't even know there
are APIs to exfiltrate email addresses from the datatracker...
There's this protocol called IMAP. All these addresses are somewhere in
the mail archives.
And there used to be a (very good) protocol called POP so that anyone
can subscribe to a list and receive posts thereto and in the case of the
IETF, authentication for a subscription to a list (three-way handshake)
is minimal so most spammers will be able to subscribe to whatever they
like. They then receive all the posts and can harvest the addresses of
the senders and addressees from the mail headers.
They are also very meticulous. I have an address which, having
subscribed to an IETF list with, I never use to make posts and never
received spam on it until a third party in the IETF included that
address as a cc: in a post; and now I get spam on that address so having
the address (mis-)used just the once would seem to be enough for the
evil actors to obtain it and use it.
By contrast, I used to get spam from an ISP where the to: was a list in
alphabetic order of a small extract from what I took to be a list of
users of that ISP which said to me that that ISP had been hacked for
that list of users.
Tom Petch
Regards
Brian