[Mailman-Developers] Re: Opening up a few can o' worms here...

[Ka-Ping Yee]

On Mon, 29 Jul 2002, Chuq Von Rospach wrote:
> Hard to read isn't enough. That was the essential failing of slashdot's
> attempt to do the "we'll choose a random algorithm for the address". It
> forgets that spammers don't need to read it all the time. It only needs to
> read it ONCE. So "hard to read" merely slows them down, once they decide to
> start harvesting that stuff. It doesn't stop them, and since it's all
> automated, they don't care if it takes them ten passes across your system to
> get 50% of your addresses or 5 passes to get 80%. They still win.

I think they'd hardly be able to get any.  Have you really thought about
how hard this would be?  Why would they bother to invest the enormous
development effort to make this work for the one or two addresses they
*might* get, along with a large number of misread addresses?

> In other words, that's no solution at all. Just a delaying tactic. And the
> more people who adopt it, the faster it'll get cracked by the bots.

No, the simple textual obfuscation methods are what count as delaying
tactics.  A human can look at "barry at zope dot org" just once and
write down a program for detecting and reconstructing the e-mail
address.  The "secret" is just the fact that "at" is used to stand
for "@", etc.  Once the secret is known, the algorithm is trivial.

In the image case, there is no secret.  Nobody knows how to program a
computer to read as well as person can -- not to mention, to be able
to distinguish a picture containing letters from a picture of anything
else.  (And when they can, they'll probably be intelligent enough to
defeat any other privacy technique anyway.)  Serious research work
would have to be done to solve the problem, and that's many years away.

> > Just to give you an idea of what tricks are possible: a GIF can
> > contain many different colour table entries that map to almost the
> > same colour; the background can be patterned; the text can be
> > distorted or blurred; the text can be drawn shadowed or embossed;
>
> And I'll bet in most of those situations, you just made your web site
> none-ADA compliant. Which means it's a no-go for a lot of sites where
> accessibility is necessary. Actually, now that I think about it, the simple
> use of the graphic iwthout an acceptable ALT tag (which defeats the purpose
> of the graphic) makes this non-compliant with ADA for sight-limited people
> who use reader apps.

That argument is a red herring.  A site with images for the e-mail
addresses (and ALT tags that did not reveal e-mail addresses) would
certainly be no less accessible than one that omitted the e-mail
addresses altogether.


-- ?!ng

"You should either succeed gloriously or fail miserably.  Just getting
by is the worst thing you can do."
    -- Larry Smith