First, sorry to continue this on the [PIC] tag, but everyone needs to see it. WHAT: Based on this discussion and the growing number of public "feeds" of the PICList with NO or little security I am going to stop requiring registration for viewing of the PICList.com archive of the PICList. HUH? In case you are confused: This eMail list (piclist@mit.edu) is hosted by MIT and I and several others are list owners. PICList.com is a wiki-type web site I host that is meant to be a FAQ and archive for the email list. And may need to be a backup of the email list if MIT ever drops us. forbid. WHY: I was aghast at how easy it is to rip some of these public "feeds" to get email addresses and more. For a spammer harvesting target emails, it is instant gratification. No need to subscribe and wait for emails, just rip them _right now_! We can go about and kill the feeds (e.g. we killed the blogger feed due to error messages it sent to members when they posted) but if we kill the "public" feeds, then the public has no way to read the PICList except via the "private" feeds. One argument for the public archives is that they do not require email registration to view as the PICList.com archive does. Some people object, violently in some cases, to giving out their email address in order to see other peoples email addresses. Hummm... I wonder why? Anyway, even people who have no known affiliation to spammers and are respected members in good standing of our little community have objected to the registration. And some have opened up feeds to public archives apparently in response to that. If we go and kill the public feeds, the objection will be (has been) that the PICList.com archive is private. In my mind, that is the freaking point, but if people are going to open these public feeds, which do little or NOTHING to protect your email address, in response to the main archive being private, then it may be for the best to make the main archive public and just make sure it mungs the heck out of the emails, looks for site rippers and spiders, and tries, best it can to stop your email address from getting into the hands of a spammer. HISTORY: The primary reason why I required registration to access the archive in the past is that the email address of the person who registered to access the archive was encoded into a batch of fake email addresses that are fed back what ever spider software they use in hidden "mailto" links. For example, if "scumbag@hotmal.com" registers and gains access to the archive, then spiders the pages to collect your address, he will also collect an address like "98ujq234kf8u@piclist.com" which has a number encoded in it which I can cross to "scumbag@hotmail.com" if I ever receive an email addressed to "98ujq234kf8u@piclist.com" and then I can report to "abuse@hotmail.com" not only that the email was spam, and (from its headers) who sent it, but also who mined the email address. Totally brilliant if I do say so myself. However... In practice it is useless... abuse@hotmail.com doesn't understand or care that their email account was used to /harvest/ email addresses for a spammer, they only care if their email account was used the /send/ spam. If that. And receiving and processing emails from a bogus account is pain on my server for technical reasons. SUMMARY: So, I'm going to drop the private status and allow anyone to view the archive. Before I do that, I'm going to review the munging of email addresses, both the person who posts and any email addresses found in the body of the post, just to make sure it is pretty darn "mungerific." Spell check will have fun with that one. Right now an email like jamesnewton@piclist.com will get munged randomly to something like _SpamBeGone_jamesnewtonSPAM@Kill@SPAMpiclist.com_SpamBeGone_ or TakeThisOuTjamesnewtonSTOPSPAM@RemoveMEpiclist.comSPAM_OUT or TakeThisOuTjamesnewton@spam@@piclist.com all of which can be deciphered by a human with a little care and half a brain. But emails in the body are not munged and so I will add that next. All the spider traps, rip stop, fake email feeds, etc.. Will remain. One of the fake emails will feed the harvesters ip address back to them and so on. POSTSCRIPT: Are you still reading? Wow... Nothing personal, but like... You need to get a life. Ok? --- James Newton: PICList webmaster/Admin mailto:jamesnewton@piclist.com 1-619-652-0593 phone http://www.piclist.com/member/JMN-EFP-786 PIC/PICList FAQ: http://www.piclist.com > -----Original Message----- > From: piclist-bounces@mit.edu > [mailto:piclist-bounces@mit.edu] On Behalf Of Gerhard Fiedler > Sent: 2005 Aug 28, Sun 06:57 > To: Microcontroller discussion list - Public. > Subject: Re: [PIC] substandard archiver subscribed to the list > > Peter wrote: > > > Again, read the FAQ. Whoever subscribed the piclist had the > option to > > request encrypted emails but did not. > > > >> Try that with the piclist.com archive.... Go on. Try it! > Tell me what > >> you find. If you do manage to rip some emails, let me know > in private > >> so I can patch the hole? But I don't think you will get many, I've > >> done a lot to secure it. Of course, all the work I did to > secure it > >> is pretty much useless when anyone can subscribe to the > list and host > >> an archive with no security. > > > > Your fortress has only one wall, with a strong gate in it ? So all > > that is needed is a walk around it (to another site) ? ;-) Remember > > when the lion is after you, you do not need to break the > world record, > > you only need to outrun your friends. > > I also don't think it makes a lot of sense to keep one > archive site super-secure. Public email lists are quite > similar to news groups in that whatever you send there > becomes practically public -- including the headers. There's > not much that can be done about that. Anybody can subscribe > to the piclist from a free email account and rip emails as > long as he wants without them being listed in any archive. > > I guess the point is: don't use emails you want to keep > spam-free in public forums (email lists, news groups, web > forums etc). Get a separate account for these that doesn't > hurt you much if/when you have to change it. > > Gerhard > -- > http://www.piclist.com PIC/SX FAQ & list archive View/change > your membership options at > http://mailman.mit.edu/mailman/listinfo/piclist > -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist