[Mailman-Developers] Proposed: remove address-obfuscation code from Mailman 3

Rich Kulawiec rsk at gsp.org
Mon Dec 7 03:03:58 CET 2009 

On Tue, Aug 25, 2009 at 06:39:29AM -0400, Barry Warsaw wrote:
>> So you can explain why, in theory and in practice, obfuscation doesn't
>> work.  But the user base will (stubbornly, if you like) refuse to
>> accept your logic.
>
> As usual, Stephen hits the nail on the head.
>
> I can't disagree with much in Rich's post, and yet it's likely that  
> we'll still obfuscate and/or conceal email addresses in the archives  
> because users will demand it.  You can and should educate them, but this 
> is not a battle I wish to fight because I think we can't win it.

I've thought this over for quite some time (obviously), and have done
some homework elsewhere to ascertain whether both Stephen's and your
(Barry's) comments are accurate.  They are. Very much so.

There now exists a "cargo cult" mentality which insists that obfuscation
has some anti-spam/security value, in spite of overwhelming evidence and
experience that conclusively proves it has none whatsoever. 

(As an aside, not to either of you but in response to other comments
in the thread, I'm well aware of the concept of defense-in-depth and
practiced it years before the term became common.  But for any measure to
be part of defense-in-depth, it must first qualify as a defense, albeit
perhaps a weak or half-hearted one.  Address obfuscation obviously fails
to clear this bar, even as low as it's set.)

I don't know how to dispell this widely-shared delusion.  It may not be
possible, at least in the near future.  And it's probably not the role
of Mailman's (or any other software package's) developers to tackle this
issue; there's only so much policy that can be promulgated by code.

I think perhaps the best that can be done is to insert a statement in
Mailman's documentation indicating that this measure is provided for
people who want to use it, but that it really has zero value.  Whether or
not y'all want to do that is of course up to you, but I think at least
a nod to reality in the documentation might get some of the better
mail system admins to at least start thinking about the issue.  And maybe
that's the best that can be done for now.

---Rsk

More information about the Mailman-Developers mailing list