[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Poll: Should mhonarc.org mail archives hide mail addresses



On January 2, 2004 at 20:57, Chuq Von Rospach wrote:

> maybe. Or maybe you do the work and find you merely made it harder, so 
> they had to throw another thousand machines at the problem. Which they 
> happily can. My argument is that anything that "solves" the problem 
> through computational complexity doesn't really solve it, not when the 
> enemy can write trojan horses that can link hundreds of thousands of 
> machines together and control what they do. Asking them "hey? want the 

You are mixing two problems.

As for more machines, that increases the cost to spammers, which many
anti-spam proposals attempt to do, like hashcash.  I.e.  Spammers do
what they do because it is cheap.  If you can increase the cost of
sending, it will eliminate much spam.

As for trojans/worms/viruses, that is criminal activity and laws
already exist to deal with it, so only criminal-minded spammers
will attempt such things, and even for those that do, there are
technical measures to mitigate the damage.  For example, ISPs
block SMTP traffic from personal home-based customers.

> data this much? how about this much?" is a waste of resources and 
> creates a false sense of security. and it might work -- now -- but for 
> how long? Better to look for solutions that don't use the phrase "fixes 
> it for now" in them, and not have to re-engineer again down the road 
> when the spammers get around to cracking it.

I basically agree, therefore, I find it futile to bother obfsucating
my address.  The cost of dealing with spam is low for me while
obfsucating my addresses and making it more difficult for people to
contact me is not worth the cost.

> since privacy of e-mail addresses has become such a hot button because 
> of the spammer issue, I think you need to think about how your tools 
> are contributing to users being harvested by spammers, and how you can 
> set an example to try to solve those problems. not that this is a 
> problem you caused, but you have opportunities here to help change 
> mindsets around the net by defining a new acceptable standard for how 
> archives handle this data -- this problem found you, but it still needs 
> to be solved.

I think handling of addresses in archives is per-archive maintainer
issue since each maintainer will have a different set of requirements,
goals, and policies.  MHonArc should allow archive maintainers to
exercise any policies they choose, not dictate them.

IMO, obfsucation techniques are generally futile, but it is not my
role to make that judgement for others if others obtain a benefit
from doing it and believe they are effective.

> > The only thing relevant to MHonArc is that it allows users to
> > apply whatever solutions they want.
> 
> And you, as it's author and developer and voice, are the person who 
> needs to help people understand how to use it properly and safely. if 
> they choose to ignore you, shame on them. If you don't give them that 
> information, then how can they hope to figure it out on their own?

Right now, my policy of the mhonarc.org archives is to keep it open.
But it is important that potential posters are properly informed
of this.

Therefore, I have to be convinced to change the way mhonarc.org
archives are formatted, which would require a good number of people
responding to me to make a change.  And if that happens, I will
probably take the approach of stripping/masking addresses out vs any
obfsucation since I do not want to bother revisiting the problem as
spammers become more sophisticated.

> > The mhonarc.org lists are not private lists.  MHonArc is an open
> > source project, and all the lists are intended to be as open as
> > possible.

> So you think it's okay to hand all of your subscribers to the spammers 
> in the name of open source?

People can subscribe, but never post.  And since I document that any
posts will be archived in a public matter, it is the choice of the
poster if they want to take the risk of dealing with spam when posting.

The subscriber list itself is not public.

> you can keep the ARCHIVES open, without handing privacy data off to 
> those you can't trust. This isn't an either-or situation. it's a 
> question of how to build things to both protect users from those trying 
> to harm them AND distribute the key information. Both are possible.

Right now, if someone wants their address to be private, than they
should not post to the list, or to any Net-based mailing list for
that matter, since any message to mailing lists can be posted on the
Net by someone.


To summarize, if there is enough demand by users that the lists will
become useless, I will hide addresses.  However, users must realize
that my hiding of addresses on the mhonarc.org archives provides *no
guarantees* that their address will be protected since I do not have
control over what others do to messages sent to the list.  The open
nature of the list provides no false impressions about address privacy
and makes the risks clear to anyone who chooses to post.

--ewh


[Index of Archives]     [Bugtraq]     [Yosemite News]     [Mhonarc Home]