[Snort-users] OT - Spam

JP Vossen vossenjp at ...8683...
Thu Apr 24 21:37:01 EDT 2003

> Date: Thu, 24 Apr 2003 19:29:39 -0400
> To: <bmcdowell at ...7861...>, <snort-users at lists.sourceforge.net>
> From: Matt Kettler <mkettler at ...4108...>
> Subject: Re: [Snort-users] OT - Spam

> At 05:46 PM 4/24/2003 -0500, bmcdowell at ...7861... wrote:

> >I've noticed that by doing a google search for my own e-mail address, it
> >only appears on web-archives of these two mailing lists.  Could you
> >respective Admins please take steps to obfuscate the actual e-mail
> >addresses before posting them to the web?  As I understand it, 'bare'
> >e-mail addresses on web pages are big targets for spammers.

> >I enjoy participating in these lists, however I have notices that my
> >inbound spam has tripled since I joined them.
> >If it can't be fixed, I can respect that.  But it can, you'd probably be
> >doing your user-base a huge favor.

I second those!

> As a subtle counter point, that might reduce the problem, but will hardly
> cure it. After all, it only takes _one_ spam-database-builder subscribed to
> _one_ mailing list you use to pick up your address.. from there it will
> likely be copied into dozens of them.

Actually, that turns out not to be the case according to [0]:
	"3. E-mail addresses harvested from the public Web appear to have a
relatively short "shelf life."

> I suspect at least one spam database miner has gotten the idea of
> subscribing to all the sourceforge.net mailing lists they can find to mine
> them for addresses.

That's an interesting (and unpleasant) thought that is not really covered in

> So you've increased the lag time before some spam database gets your
> address, but you've not really stopped it from happening. If you really
> don't want your address picked up by spammers, never use it to post to any
> publicly accessible mailing list, newsgroup, or web forum. As a general
> rule if there's ANY way to collect addresses out of some system, there's
> going to be at least one spammer desperate enough to do it.

That won't even work 100%... (See #8 below) :-(

> That said, it would be a good thing for any mailing-list to usenet mirrors
> to obfuscate addresses. Any small bit never hurts, but it's hardly a huge
> favor.

I will briefly note the conclusions from [0] and encourage you to read the
full report, as some of it is counter-intuitive.

1.	E-mail addresses harvested from the public Web are frequently used by
spammers. By an overwhelming margin, the greatest amount of spam we received
was to addresses posted on the public Web.

2.	The amount of spam received by an address posted on the public Web is
directly related to the amount of traffic that Web site receives.

3.	E-mail addresses harvested from the public Web appear to have a
relatively short "shelf life."

4.	Addresses posted in the headers of USENET messages can receive
significant spam, though less than a posting on the public Web.

5.	Obscuring an e-mail address is an effective way to avoid spam from
harvesters on the Web or on USENET newsgroups.

6.	Sites that publish their policies and make choice available to users
generally respected those policies.

7.	Domain name registration does not seem to be a major source of spam.

8.	Even when an e-mail address has not been posted or shared in any way,
it is still possible to receive spam through various "attacks" on a mail


[0] http://www.cdt.org/speech/spam/030319spamreport.shtml

Also interesting: http://www.paulgraham.com/spam.html

JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
"The software said it requires Windows 98 or better, so I installed

More information about the Snort-users mailing list