On Wed, Jun 07, 2023 at 09:51:02AM +0100, tom petch wrote: > This prompts me to raise an issue that I have been mulling over for a while, > which I think of as IETF-facilitated SPAM. The proper term is "spam", not "SPAM". It is not an acronym and it's incorrect usage to spell it in all-caps. "SPAM" is a trademark of the Hormel Corporation and has nothing to with email. > I wonder if others see a similar pattern on the same or a different domain > name. I assume that the attackers have subscribed to the IETF lists and are > harvesting addresses but wonder at the use of the domain name in the SPAM. There are so many ways for spammers to harvest email addresses that unless you have run carefully-controlled experiments using email addresses that have been explicitly created for that task, it is effectively impossible to ascertain which method was used to acquire which address. In this particular instance, for example, two of the MANY possibilities are (1) attackers subscribed to the IETF lists, as you suggest or (2) the email account of someone who is subscribed to IETF lists has been compromised and attackers helped themselves to everything in it. Given the evidence currently on the table, it is quite impossible to discern which of these two (or others that I haven't enumerated) are in play. I've done the experiments (mentioned above) for decades and have gained some insight into this matter. Rather than recapitulate all of those at great length, let me give you the bottom line: any email address that you use for general correspondence -- whether to individuals or mailing lists -- CANNOT be successfully withheld from spammers. This doesn't mean that they'll acquire it immediately; it also doesn't mean that they'll acquire it eventually -- after all, they and their software make mistakes. But what it means is that all attempts to stop this from happening (e.g., obfuscating addresses) are pointless and stupid. Further: any email address that you *don't* use for general correspondence, e.g., a one-off that you use a specific purpose with a single company or organization, *may* avoid inclusion in spammer databases...for a while. But given that many companies/organizations outsource to spammers, that security breaches happen all day every day, that spammers are willing to pay for this data, etc., there are no guarantees. The only things that using one-offs get you are (a) accountability and (b) the ability to shut the address off without impacting anything else. (And of course (a) is rather limited.) ---rsk
