[Mailman-Developers] Almost OT: Re: Opening up a few can o' wormshere...

Michael Meltzer mjm@michaelmeltzer.com
Tue, 30 Jul 2002 16:09:58 -0400 

For what is worth, I think you are off in the wrong direction, you have to
assume the "opposing side" is just as good as you are, any attempt to mask
address will fail.

It like bicycle lock in Manhattan, lock companies came out with all sort in
"high tech" metal to defect thieves, it did not work in the end because the
thieves found out "freezing" them the hitting it with a hammer defeated them
all(no bike lock has insurance in Manhattan). The answer from the bike users
was to make their bike not worth stealing :-)

I think it is the same problem here, instead of trying to hiding the email
address you should be reducing the value of having the email address. My
first shot at the problem would be:

 1) change all email address to a anonymous a address that points at the
listserver (virtual tables)
mjm@michaelmeltzer.com->1234-remail@python.org
2) Database email, newemail and the fingerprint all list member from their
header, ip, received, software(all stuff that a bulk mailer will not have,
hard/can not forge), most things not in most archives.
3)if another list member wants to email someone, check the senders
fingerprints, if fail challenge them including their password. We are
verifying the sender. About the only "opposing side" can do to get around
this is by sining up to the list, use a real email account and send the bulk
mail from the same SMTP server/domain(no value in selling a list). Even then
a simple rate monintor could shut that down pretty quick(remember you are
seeing all the email to the list members).

4)can keep multiple fingerprints for multiple machines. Only need one
challenge for upgrade or isp change

5)remeber we are watching the sender were the problem is, the value of the
email address is close to zero, no problem if someone puts a list in clear/
unprotected area.

For what it is worth
MJM


----- Original Message -----
From: "Les Niles" <les@2pi.org>
To: <mailman-developers@python.org>
Sent: Tuesday, July 30, 2002 3:12 PM
Subject: [Mailman-Developers] Almost OT: Re: Opening up a few can o'
wormshere...


> On Tue, 30 Jul 2002 07:27:27 -0700 Chuq Von Rospach
<chuqui@plaidworks.com> wrote:
> >On 7/30/02 3:41 AM, "Ka-Ping Yee" <ping@zesty.ca> wrote:
> >> I think they'd hardly be able to get any.  Have you really thought
about
> >> how hard this would be?  Why would they bother to invest the enormous
> >> development effort to make this work for the one or two addresses they
> >> *might* get, along with a large number of misread addresses?
> >
> >Yes, I have. Because I've seen how the spammers have moved up the
technology
> >curve when it suited their purposes.
> >
> >You're depending on not being "the low hanging fruit", so to speak.
That's
> >the philosophy behind "the club" for preventing car thefts. That
philosophy
> >works only as long as your data isn't valuable enough to be worth the
extra
> >effort. Once it does, you suddenly have a protection system that isn't
> >working, but you've created a false sense of security because you think
it
> >works. That's worse than having no system, then, because you've stopped
> >being worried about it.
> >
> >> In the image case, there is no secret.  Nobody knows how to program a
> >> computer to read as well as person can
> >
> >Have you seen what the off the shelf OCR systems like OmniPage do these
> >days?
>
> What's more, Gary Kopec and others at Xerox PARC developed OCR
> algorithms that, in many situations, can read much better than a
> person can.  There are practical issues that prevent using these
> algorithms in the typical shrink-wrap OCR applications, but I think
> they'd work pretty well for converting email address images.  There
> are probably one or two dozen people who could implement this in a
> few months, and lots who could do so after reading the papers that
> have been published.  (There is an issue of patent infringement
> that might discourage selling such software, but it would be really
> hard to know that a big harvester was using the algorithms
> internally.)  IOW, Chuq I think you're right on target: Once it
> becomes valuable enough to get around image-encoding of email
> addresses, then it will be done.
>
> Anyone for audio-encoded email addresses?  When it comes to speech
> recognition, computers are definitely much worse than people.
>
>   -les
>
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers@python.org
> http://mail.python.org/mailman-21/listinfo/mailman-developers