[Mailman-Users] Major problems with privacy and mailman lists and harvesters

[Bill Christensen]

When creating archives for one of the lists I run (until recently 
with another listserv software) I wrote a relatively simple 
find/replace grep which replaces the domain names so that email 
addresses become billc at ...  In this case, the list itself is by 
invitation only but the archives are open to all, so the list members 
can figure out who the posters are easily enough and some non 
listmembers may as well, but the spammers won't have a clue.

Having just moved over to Mailman recently I have yet to implement 
that fix on my lists but I hope to do so in the fairly near future.

Another trick that I've used with our web databases is to assign an 
ID to a user and create a spam-resistant mail form which doesn't 
display the email address in the source code, but instead retrieves 
it via the ID behind the scenes when the email is sent.  It's 
probably similar to the Topica method that Michael Welch posted 
about, and it works fairly well for us (though in the last couple of 
weeks someone found their way around it.  I still need to figure out 
the hole and plug it up).

The big problem I see with implementing most of the anti-spam tricks 
I employ as a relatively small web developer on as large a scale as 
incorporating them into Mailman is that with enough motivation and a 
little research a spammer could still script around them and exploit 
Mailman lists, either by harvesting or direct sending.   They're 
typically not overly motivated to do so for our little market, but 
with all the Mailman lists out there it would certainly be a target.


At 11:03 AM -0600 5/23/08, Steve Murphy wrote:
>Content-Type: multipart/signed; micalg=sha1;
>	protocol="application/x-pkcs7-signature";
>	boundary="=-xE9PbKG5Tri4f0crMNni"
>
>Hello!
>
>I'm quite concerned about what I'm seeing in mailman installations,
>and the amount of spam I've been getting because I participate in
>mailman based lists!
>
>I'm not talking about halting spam that gets submitted to the list
>for mailing. I'm not talking about spambots automatically joining
>the lists and submitting spam.
>
>What I'm concerned about is the fact that email harvesters are being
>given so much information.
>
>I've noticed in the mailman-users archives, that if I view info
>by thread (using the mailman archives as an example,)
>which site is 2.1.10 based,
>that all email addresses are present, but with a simple obfuscation.
>(the "@" has been changed to " at ".) I can't help but to think
>that this simple obfuscation is a joke. Any harvester written in the
>past number of years would be smart enough to capture such accurately.
>
>When viewing the developer's archives, I note that when a message is
>displayed singly, it is common to see [EMAIL PROTECTED]. This is
>much nicer, but I notice that in both archives, a button is provided
>at the bottom of the letter, that submits a form, and gets back
>both a "Found" page, with a mailto: url, and a redirect to a mailto...
>so, an anonymous user can easily get/harvest email addresses by simply
>analyzing the html form.
>
>The gzip'd archives by month for both lists both show all email
>addresses, with the " at " obfuscation.
>
>It seems inconsistent, funny even, that display by thread will show
>individual messages with [EMAIL REMOVED], but the gzip'd archives
>of the same message reveal, really, everything.
>
>And worse... If I really wanted to collect up-to-date juicy email
>addresses, I'd simply subscribe to all the mailman lists I possibly
>could, and
>route all the incoming messages to harvesters. In **This** case,
>the harvest is bountiful, as most messages arrive totally unfiltered,
>from  headers galore bearing bounteous harvests of email addresses
>(for example, the From header), to the user sigs at the ends, with
>reply quotation headers mentioning the source addresses in between.
>
>Within MINUTES of my first posting on asterisk-users, I was getting spam
>on an email address that was brand-new. Since then, the spam volume
>on that email addr just keeps growing.
>
>I keep wondering, which way did they get my email addr?
>But, it doesn't matter. I can't help to think that 'targeted'
>spam mailers both spider the archives and subscribe to the
>lists.The bigger the list's subscription, hotter an item it is.
>
>So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
>and the outgoing messages, and drop this silly notion that
>the " at " obfuscation is useful? Really, it's totally transparent.
>NO OBFUSCATION is safe in mailman. There's simply too much
>Can we drop the buttons from the archives whose HTML says:
>
><FORM METHOD="POST" ACTION="/cgi-bin/Nomailto.pl">
><INPUT TYPE="HIDDEN" NAME="user" VALUE="barb">
><INPUT TYPE="HIDDEN" NAME="host" VALUE="nleaudiox.com">
><INPUT TYPE="HIDDEN" NAME="subject" VALUE="Re: [Mailman-Developers] 
>Important Mailman 2.1.9 to 2.1.10 upgrade note.">
><INPUT TYPE="HIDDEN" NAME="msgid" VALUE="480E15F1.50200 at nleaudio.com">
>Reply via email to<br>
><INPUT TYPE="SUBMIT" VALUE=" Bob [EMAIL PROTECTED] ">
></FORM>
>
>from which spam harvesters can almost instantly be updated to 
>harvest "barb at nleaudiox.com"
>(modified from the orig to save the innocent author from a deluge of spam, at
>least on **my** account), without even submitting the form!
>
>We need to rethink how we can adequately keep emails out of spammers hands.
>And, yes, it's kinda unhandy not read a message and not be able to 
>fire an email
>off to the author directly. But to make it easy for list 
>subscribers, is to make it easy
>for spammers, who probably have already joined the list, and are delighted
>to get email addresses, any which way they can.
>
>Most discussion on mailing lists do not require any address other than
>the the mailing list itself. To take a discussion "offline", I propose a
>few ideas:
>
>1. the mailing list allows the users to specify a phone-number,
>an irc channel and identity that they can be reached by, or some other
>method to contact the author, that is NOT an email address. This info
>is kept private, and the button at the bottom of the archived letters
>could give you this info. The person wanting to privately discuss the
>letter could then call the user or contact them via irc/jabber/whatever,
>and either discuss the matter there and then, or the author could
>voluntarily give the other party his email address at that time. Or
>file a list message, and ask the author to contact him, and give out a
>phone number, whatever.
>
>I thought about integrating spamgourmet throw-away email addresses,
>but really, that wouldn't help. Spammers could simply request, get
>the throw-away, spam it, and toss it. The user himself is the only
>one who can usefully hand out throw-away addresses.
>
>If you think mailman doesn't have to worry about this sort of thing,
>keep in mind that mailman has swiftly become probably the top mailing
>list software on the web. That spammers would not be interested in
>mining mailing lists for their tens of thousands of valid addresses
>is foolhardy thinking. That thinking the options that mailman provides
>now is adequate to keep spammers from harvesting email addrs, is just
>plain wrong. That datamining and de-obfuscation are NOT being done
>specifically
>for mailman lists is wishful thinking.
>
>Mailman needs to pay attention to the fact that spammers would **love**
>to use their mailing list installations to ship spam for them, AND ALSO
>that spammers will want to harvest email addresses from the web
>interface
>AND the mailings themselves.
>
>
>We need to lock down mailman, or at least make it an option! Simply put,
>in messages sent to users, the only email that should be found anywhere
>in a recieved message, is the recipient's.
>In the archived messages, absolutely no email addresses at all. Not even
>obfuscated. If we follow this pattern, the spammers will not be able to
>use mailman lists for any useful purpose. They'll have to hack the web
>sites
>to get the lists.
>
>
>murf
>
>
>--
>Steve Murphy
>Software Developer
>Digium
>
>------------------------------------------------------
>Mailman-Users mailing list
>Mailman-Users at python.org
>http://mail.python.org/mailman/listinfo/mailman-users
>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
>Unsubscribe: 
>http://mail.python.org/mailman/options/mailman-users/billc_lists%40greenbuilder.com
>
>Security Policy: 
>http://www.python.org/cgi-bin/faqw-mm.py?req=show&amp;file=faq01.027.htp


-- 
Bill Christensen
<http://greenbuilder.com/contact/>

Green Building Professionals Directory: <http://directory.greenbuilder.com>
Sustainable Building Calendar: <http://www.greenbuilder.com/calendar/>
Green Real Estate: <http://www.greenbuilder.com/realestate/>
Straw Bale Registry: <http://sbregistry.greenbuilder.com/>
Books/videos/software: <http://bookstore.greenbuilder.com/>