obfuscate email addresses (Was: cvs commit: xml-forrest status.xml)

[David Crossley <cr...@indexgeo.com.au>]

Antonio Gallardo wrote:
> >   +        due-to="Eric Burghard" due-to-email="eburghar.AT.free.fr" >
>
> I has concern about using email of people here. Many spammers are
> searching with robots the websites to hunt emails of people. I really
> heates the SPAM - in both presentations ;).
> 
> I suggest to change the address or better not post emails of people at all.
> 
> comments?

Cheche opened an issue to address this: FOR-67. Thanks Antonio
for raising this important topic.

I too strongly support obfuscation of all email addresses. The Forrest
generated "changes" page provides a gold-mine for spammers to harvest.

I would rather that we did not use mailto links at all there. Perhaps
just show the email address as plain text and scrambled, but preferably
drop it altogether.

The cvs commit log emails also cause a problem, because they show the
"due-to-email" attribute as Antonio has shown above. So they can be
harvested from the various email archives, e.g. MARC.

Similarly the whole status.xml file can be extracted via the ViewCVS
URLs and processed by spambots.

I propose that we just completely drop the "due-to-email" attribute
from our "status.xml" and obfuscate any other email address.

Another related issue is when people reply to the cvs commit log emails.
Some people forget to clean up the reply to remove email addresses and
other cruft.

--David

Re: obfuscate email addresses

[David Crossley <cr...@indexgeo.com.au>]

There are some interesting recommendations and techniques described at:
http://www.neilgunton.com/spambot_trap/

--David

David Crossley wrote:
> Antonio Gallardo wrote: 
> > David Crossley dijo:
> > > Another related issue is when people reply to the cvs commit log emails.
> > > Some people forget to clean up the reply to remove email addresses and
> > > other cruft.
> > 
> > Yep. Thanks to point out this! I already saw this, but I forgot to mention
> > about this. I think this is very interesting topic of dicussion around all
> > the cocoon projects.
> > 
> > From my own experience I am sure I started got SPAM because someone
> > spamboted our maillists. I don't use this email address in other way,
> > just in apache related maillists.
> 
> That is a big worry.
> 
> > Is posible to hack a little the maillist manager to ofuscate the
> > body of the messages?
> 
> That would be nice, but probably not scalable. As you can imagine,
> a massive amount of email passes through the Apache servers.
> Anyway, that topic could be raised on some of the general mailing
> lists. Perhaps there is a solution.
> 
> > Are other people in Apache concerned about the SPAM problem?
> 
> I am, and i have often heard it discussed on other Apache lists.
> 
> If you look back through the cocoon-dev archives there was a
> well-received Vote about obfuscation. It has been partially done
> for Cocoon.
> 
> The infrastructure<AT>apache team is actively addressing spam
> to prevent it coming through to the mailing lists and the committer
> accounts. However, that effort is not attempting to deal with the
> source of the problem. That is up to us.
> 
> In fact i believe that it is a duty of Forrest to generate the
> documentation in a way that minimises spam.
> 
> > I think this is a very important topic to raise to the admin of
> > the whole ASF? What you think?
> 
> Definitely.
> 
> After Forrest gets its act together, it would be good to discuss
> some solutions in a wider context.
> 
> --David

Re: obfuscate email addresses (Was: cvs commit: xml-forrest status.xml)

[David Crossley <cr...@indexgeo.com.au>]

Antonio Gallardo wrote: 
> David Crossley dijo:
> > Another related issue is when people reply to the cvs commit log emails.
> > Some people forget to clean up the reply to remove email addresses and
> > other cruft.
> 
> Yep. Thanks to point out this! I already saw this, but I forgot to mention
> about this. I think this is very interesting topic of dicussion around all
> the cocoon projects.
> 
> From my own experience I am sure I started got SPAM because someone
> spamboted our maillists. I don't use this email address in other way,
> just in apache related maillists.

That is a big worry.

> Is posible to hack a little the maillist manager to ofuscate the
> body of the messages?

That would be nice, but probably not scalable. As you can imagine,
a massive amount of email passes through the Apache servers.
Anyway, that topic could be raised on some of the general mailing
lists. Perhaps there is a solution.

> Are other people in Apache concerned about the SPAM problem?

I am, and i have often heard it discussed on other Apache lists.

If you look back through the cocoon-dev archives there was a
well-received Vote about obfuscation. It has been partially done
for Cocoon.

The infrastructure<AT>apache team is actively addressing spam
to prevent it coming through to the mailing lists and the committer
accounts. However, that effort is not attempting to deal with the
source of the problem. That is up to us.

In fact i believe that it is a duty of Forrest to generate the
documentation in a way that minimises spam.

> I think this is a very important topic to raise to the admin of
> the whole ASF? What you think?

Definitely.

After Forrest gets its act together, it would be good to discuss
some solutions in a wider context.

--David