[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] Munging?
From: |
Duncan |
Subject: |
Re: [Pan-users] Munging? |
Date: |
Fri, 29 Jul 2011 03:54:00 +0000 (UTC) |
User-agent: |
Pan/0.135 (Tomorrow I'll Wake Up and Scald Myself with Tea; GIT 9996aa7 branch-master) |
Travis posted on Thu, 28 Jul 2011 15:17:28 -0700 as excerpted:
> -----Original Message-----
> From: Steven D'Aprano Sent: Thursday, July 28, 2011 12:36 PM To:
> address@hidden Subject: Re:
> [Pan-users] Munging?
>
> Beartooth wrote:
>> My posting profiles all require an email address. Can it a/o should it
>> be a munged one -- say with space-paren-at-paren-space instead of @?
>
> You mean something like this?
>
> fred (@) example.com
>
>
> That's not a valid email address, because the @ sign is commented out.
> (Yes, email addresses can include comments. Many mail clients don't
> allow them, because they are stupid and don't follow the standard, but
> it is legal.)
>
> If you are just making up an address, why not just do something like
> this?
>
> address@hidden
>
>
>
> It would be more appropriate to use
> address@hidden
>
> Someday somewhere somebody might register nowhere.com
I can't actually see what those addresses are, as I'm reading thru gmane,
which munges them (tho it can be noted that the gmane munges are valid as
forwarding addresses if the original address was valid, it just goes thru
the gmane despammer first).
However, what I've long done here for real news (that is, non-gmane/non-
list) is use something like the following (with the @ further munged to
avoid gmane scrambling, but it should be obvious):
news.duncan (at) cox.replytogroup.net.please
1) Add the munging on the domain side of the @ so your ISP (or your own
mail server if you're so lucky) doesn't have to deal with it)
2) Use at least two-word domain munging, alternating valid and invalid
(cox is valid, replytogroup is invalid, net is valid, please is not),
with the intention of making it more difficult for automated spambot
demunging while still making it reasonably easy for real for humans.
3) The user side of the @ is valid as-is (news.duncan, not simply duncan,
not simply news), so if a spambot /does/ successfully demunge the domain
side, if they try the same technique on the user side, they'll be a minor
headache for the mail server (unavoidable once the domain munging is
cracked) but it still won't get me.
4) Make the tld (top-level-domain, like .com, here, .please) invalid, so
anything that tries to use the address as-is isn't going to put any more
load on the system than necessary (the first TLD dns returns invalid,
operation goes no further), trying to validate dns.
That's it for the address munging. However, there's two (or three,
depending on how they're counted) additional components to my scheme, as
well.
5) In my mail client, have a keywording filter. For any mail that comes
in to that address, the filter looks for " -news" at the END of the
subject line. (No-quotes, space, dash, news, END) So a properly
keyword-added subject line for replying directly to me for this thread
(were it on a newsgroup where I use the munged address, not a list where
I use my list address) would be:
Re: Munging? -news
Anything coming in at that address without that " -news" at the end of
the subject line gets trashed (as do all HTML messages coming in there).
6) Completing (almost) the setup, I make use of pan's custom-header
capacities, adding these instructions as custom headers. Note that the
x- is specified in the RFCs as a prefix to be assigned to custom headers,
to be sure they don't conflict with any non-custom headers:
x-munging1: Usenet replies preferred, If replying by mail,
x-munging2: do ALL the following to avoid the spam traps:
x-munging3: 1) Use plain text. HTML format auto-trashed.
x-munging4: 2) Kill address reply2group and please phrases.
x-munging5: 3) Put " -news" at the END of the subject
x-munging6: (no quotes, space, dash, news, END)
7) Finally, Replacing the first line of my list sig as used below,
I have this:
Duncan - Newsgroup replies preferred. See x-munging headers for mail.
That:
a) makes the point that I prefer news replies.
b) "gently" encourages them by forcing people to look at the headers and
jump thru some hoops to actually get a valid email address, and then to
add the keyword so I actually see the message.
c) makes it known that replying via email is still possible when
necessary, referring people to the instructions in the headers.
d) rather more strongly "encourages" people who aren't intelligent enough
or simply don't care enough to follow instructions and who would thus
unnecessarily "reply to all" or "reply to sender" instead of to the
newsgroup, to instead "reply to group". If they can't even care enough
to notice that, the message couldn't have been that important anyway and
would be a milder form of spam anyway, simply wasting my time, so if it
doesn't get to me, oh, well...
Taken as a whole, this scheme has been *VERY* successful for me over the
years. Despite my posting a demungable address quite visibly to various
newsgroups over the years, the number of spam hits on the news.duncan
address remains very low, and could well be due to spambot address
randomization. And the keywording has been 100% effective in killing
them. No spammer is likely to tailor message subjects specific enough to
get around it, and if one ever does, it's simple enough to change the
keywording rules and relevant header lines while retaining the rest of
the system as-is.
Meanwhile, I *HAVE* gotten a number of legitimate messages on that
address from people over the years, where they cared enough to do the
keywording as well. Further, the keywording has to be done only once per
subject/thread. Once done for the first message, all replies
automatically keep the same keywording so if the initial message ends up
in an ongoing exchange, it "just works".
If I trust the other end enough, I eventually give them one of my other
addresses as a contact so they don't have to worry about the keyword
filter on the news address for future messages.
A 100% correct identification rate, no-false-positives, no-false-
negatives, is considered impossible for the general case. (If it were
ever possible at all, the spammers would soon get ahold of it and it
would again be impossible.) However, this application is specialized
enough that I seem to have accomplished it. Of course I can't know what
messages never got to me as a result, but by definition, those were
milder forms of spam anyway, and thus a waste of time, because the other
end obviously didn't care enough about it to do it right (or was too dumb
to know how to access the custom headers), so why should I care about it
either? In any case, if they considered the message /that/ important and
they saw no response, they /could/ reply via newsgroup, if even with a
simple, "Hey, Duncan, I can't figure out your email thing, can you
contact me directly at this address? <their address>" That way, they get
to put their unmungable address out there in whatever munged form they
choose, and I can respond to them.
By similar token, anyone who DOES care enough to jump thru the hoops gets
rather higher priority treatment, generally at least /some/ reply, which
they might not otherwise, because I know the effort it took to contact me
directly on that address in the first place, and thus, that they consider
the message of at least enough importance to do so, regardless of whether
I'd ordinarily consider it so or not. (In practice, however, I don't
believe I've ever received a message that got thru those hoops that I
didn't consider important on its face, so the fact that they consider it
important enough to jump thru them only increases the priority for me.
Of course, someone could be contrarian just to prove me wrong and break
that 100% record, but again, it should be simple enough to block them if
that ever happens. That it's so effective on the automated stuff already
makes everything else easier to handle, even if someone starts
deliberately targeting it.)
Meanwhile, another alternative exists as well, particularly for you
Beartooth, as I know you already use gmane. As I mentioned, their munged
addresses remain valid -- it just goes thru their spam filters and gets
forwarded to the unmunged address you used. As such, you could simply
use the gmane munged version of your real address on non-gmane and gmane-
but-unmunged groups/servers as well, and let gmane handle the spam
filtering, forwarding, etc.
Finally, it's worth noting that by virtue of the fact that gmane verifies
addresses the first time they're used in posting to a gmane group/list,
you cannot use a (non-gmane) munged address on gmane. So don't even try
that, as the verification mail will go to the munged address and never
get to you, so no message you post to gmane using such an address will
ever make it. (Well, unless the address as-munged is valid as well,
similar to the way gmane's munging works.)
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman